Tweet
Tweet

Slide 1

Slide 1 text

Using OAuth with PHP Dave Ingram @dmi 4th November 2010

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Coming up • What is OAuth? • How do you write a Consumer in PHP? • What doesn’t OAuth do? • Thoughts on being a Provider

Slide 6

Slide 6 text

What is OAuth anyway?

Slide 7

Slide 7 text

A long time ago, in a website not far away. . .

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

Connect!

Slide 11

Slide 11 text

Connect! U:KittehLuvr P:hunter2

Slide 12

Slide 12 text

Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

Slide 13

Slide 13 text

Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

Slide 14

Slide 14 text

Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2

Slide 15

Slide 15 text

Connect! U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 U:KittehLuvr P:hunter2 O HAI TWITTER LOOK AT MAH KITTEH LOL!

Slide 16

Slide 16 text

Full access

Slide 17

Slide 17 text

Full access Fragile

Slide 18

Slide 18 text

Full access Fragile Revoking is painful

Slide 19

Slide 19 text

YOU REVEAL YOUR USERNAME AND PASSWORD

Slide 20

Slide 20 text

YOUR USERNAME AND PASSWORD

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Who uses it?

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Building a Consumer

Slide 35

Slide 35 text

To sign requests, you need: Consumer key Consumer secret (Unique per application) + Access token Access secret (Unique per application user)

Slide 36

Slide 36 text

Step 1: Register with the provider

Slide 37

Slide 37 text

I would like my OAuth application to consume your service please, Mr. Provider.

Slide 38

Slide 38 text

Certainly. I just need to take a few details from you, and we’ll be all set.

Slide 39

Slide 39 text

OK. Here you go.

Slide 40

Slide 40 text

Consumer key Consumer secret

Slide 41

Slide 41 text

Step 2: Write your application Step 3: ?????? Step 4: Profit!

Slide 42

Slide 42 text

Step 2: Write your application Step 3: ?????? Step 4: Profit!

Slide 43

Slide 43 text

User Consumer Provider User clicks connect

Slide 44

Slide 44 text

User Consumer Provider C C Ask provider for request token

Slide 45

Slide 45 text

User Consumer Provider C C R R Provider returns request token and request secret

Slide 46

Slide 46 text

User Consumer Provider C C R R R Redirect user to provider

Slide 47

Slide 47 text

User Consumer Provider C C R R R R User logs in/authorises app

Slide 48

Slide 48 text

User Consumer Provider C C R R R R V Provider redirects user back to app with verifier

Slide 49

Slide 49 text

User Consumer Provider C C R R R R V V User’s arrival with verifier notifies app

Slide 50

Slide 50 text

User Consumer Provider C C R R R R V V C C R R V App then exchanges request token for access token

Slide 51

Slide 51 text

User Consumer Provider C C R R R R V V C C R R V A A Provider returns access token and access secret

Slide 52

Slide 52 text

User Consumer Provider C C R R R R V V C C R R V A A C C A A App makes request on user’s behalf

Slide 53

Slide 53 text

Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, );

Slide 54

Slide 54 text

Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret'];

Slide 55

Slide 55 text

Get request token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1, ); // Fetch the request token $response = $o->getRequestToken( 'https://api.twitter.com/oauth/request_token' ); // Save for later exchange $_SESSION['req_token'] = $response['oauth_token']; $_SESSION['req_secret'] = $response['oauth_token_secret']; // Send user to provider's site header('Location: https://api.twitter.com/oauth/authorize'. '?oauth_token='.$response['oauth_token']);

Slide 56

Slide 56 text

No content

Slide 57

Slide 57 text

Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']);

Slide 58

Slide 58 text

Get access token // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the request token $o->setToken($_SESSION['req_token'], $_SESSION['req_secret']); // Exchange request for access token (verifier is automatic) $response = $o->getAccessToken( 'https://api.twitter.com/oauth/access_token' ); // Save access tokens for later use $current_user->saveTwitterTokens( $response['oauth_token'], $response['oauth_token_secret'], ); header('Location: /twitter-link-ok');

Slide 59

Slide 59 text

Access token Access secret

Slide 60

Slide 60 text

Make API requests // Create OAuth client object $o = new OAuth( MY_CONSUMER_KEY, MY_CONSUMER_SECRET, OAUTH_SIG_METHOD_HMACSHA1 ); // Sign requests with the access token $o->setToken( $current_user->getTwitterToken(), $current_user->getTwitterSecret() ); $args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!'); $oauth->fetch( 'https://api.twitter.com/v1/statuses/update.json', $args, OAUTH_HTTP_METHOD_POST ); $json = json_decode($oauth->getLastResponse()); printf("Result: %s\n", print_r($json, true));

Slide 61

Slide 61 text

What OAuth doesn’t do

Slide 62

Slide 62 text

No proof of server identity (use TLS)

Slide 63

Slide 63 text

No proof of server identity (use TLS) No confidentiality (use TLS/SSL)

Slide 64

Slide 64 text

No proof of server identity (use TLS) No confidentiality (use TLS/SSL) No open-source consumer

Slide 65

Slide 65 text

Thoughts on being a Provider

Slide 66

Slide 66 text

Very easy to be a Consumer

Slide 67

Slide 67 text

Very easy to be a Consumer Many design decisions to make as a Provider

Slide 68

Slide 68 text

Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind

Slide 69

Slide 69 text

Very easy to be a Consumer Many design decisions to make as a Provider A fair amount of work, and not always easy to change your mind For example. . .

Slide 70

Slide 70 text

How large a range of timestamps do you allow?

Slide 71

Slide 71 text

How large a range of timestamps do you allow? What permission granularity do you provide?

Slide 72

Slide 72 text

How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets?

Slide 73

Slide 73 text

How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter)

Slide 74

Slide 74 text

How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF

Slide 75

Slide 75 text

How large a range of timestamps do you allow? What permission granularity do you provide? What format and length are tokens/secrets? Do you identify actions as coming from particular consumers? (e.g. Twitter) What about attacks? Phishing, DoS, clickjacking, CSRF Beware proxying/caching (use the right headers!)

Slide 76

Slide 76 text

Links OAuth Spec: http://oauth.net/ Intro/tutorial: http://hueniverse.com/ PECL extension: http://pecl.php.net/oauth/ Me: http://twitter.com/dmi http://www.dmi.me.uk/talks/ http://www.dmi.me.uk/code/php/ Slides: http://slideshare.net/ingramd