Mastering OAuth 2.0 (Day Camp 4 Developers)

Mastering OAuth 2.0 (Day Camp 4 Developers)

OAuth 2.0 isn’t easy, and everyone has a slightly different implementation, making interoperability a nightmare. Fortunately, the PHP League of Extraordinary Packages provides league/oauth2-client. Aiming for simplicity and ease-of-use, league/oauth2-client provides a common way to access providers. This talk introduces OAuth concepts and demonstrates how to perform OAuth flows with league/oauth2-client, using Instagram as an example.

0c217b9a7dd0aa31ed40bd0f453727e1?s=128

Ben Ramsey

June 02, 2017
Tweet

Transcript

  1. Mastering OAuth 2.0 Ben Ramsey
 Day Camp 4 Developers 2

    June 2017
  2. HI, I’M BEN. I’m a web craftsman, author, and speaker.

    I build a platform for professional photographers at ShootProof. I enjoy APIs, open source software, organizing user groups, good beer, and spending time with my family. Nashville, TN is my home. ▸ Zend PHP Certification Study Guide ▸ Nashville PHP & Atlanta PHP user groups ▸ array_column() ▸ league/oauth2-client ▸ ramsey/uuid
  3. OAuth 2.0

  4. None
  5. None
  6. Instagram Demo

  7. #1 Click to authorize

  8. #2 Log in on site and grant permission

  9. #3 Redirect back with auth code #4 Exchange code
 for

    access token
  10. #5 Use access token to get data

  11. bram.se/dc4d-oauth2-app

  12. Preparing for OAuth

  13. 1. Register your application with the service 2. Let the

    service know your domains or
 redirect URLs 3. Configure your application to use the
 client ID and client secret given to you by
 the service ! No two OAuth 2.0 providers are alike!
  14. None
  15. None
  16. None
  17. None
  18. None
  19. Integrating with the Provider

  20. composer require league/oauth2-instagram

  21. use League\OAuth2\Client\Provider\Instagram; $provider = new Instagram([ 'clientId' => 'CLIENT_ID', 'clientSecret'

    => 'CLIENT_SECRET', 'redirectUri' => 'https://example.com/redirect', ]);
  22. Authorization Request 1. Generate authorization URL 2. Store state to

    session 3. Prompt user to authorize or redirect them
  23. $authUrl = $provider->getAuthorizationUrl(); $request->session()->put( 'instagramState', $provider->getState() ); return redirect()->away($authUrl);

  24. Redirection Endpoint 1. Receive authorization code 2. Check state 3.

    Exchange code for an access token
  25. $state = $request->session()->get('instagramState'); if ($request->state !== $state) { abort(400, 'Invalid

    state'); } if (!$request->has('code')) { abort(400, 'Authorization code not available'); } $token = $provider->getAccessToken( 'authorization_code', [ 'code' => $request->code, ] ); $request->session()->put('instagramToken', $token); return redirect()->action('HomeController@index');
  26. Expiring & Refreshing Tokens 1. Check for expiration & refresh

    token 2. Request access token using refresh token
  27. if ($token->hasExpired() && $token->getRefreshToken()) { $newToken = $provider->getAccessToken('refresh_token', [ 'refresh_token'

    => $token->getRefreshToken(), ]); $request->session()->put('accessToken', $newToken); } ! Instagram does not support refresh tokens
  28. Using Access Tokens 1. getAuthenticatedRequest() returns a PSR-7 RequestInterface object

    2. Use your favorite HTTP request library to make a request
  29. $feedRequest = $provider->getAuthenticatedRequest( 'GET', 'https://api.instagram.com/v1/users/self/media/recent', $instagramToken ); $client = new

    \GuzzleHttp\Client(); $feedResponse = $client->send($feedRequest); $instagramFeed = json_decode( $feedResponse->getBody()->getContents() );
  30. A Brief History of Web Authorization

  31. What is OAuth 2.0?

  32. “However, as a rich and highly extensible framework with many

    optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations.” RFC 6749, Section 1.8
  33. 1. Resource owner 2. Resource server 3. Client 4. Authorization

    server
  34. composer require league/oauth2-client

  35. use League\OAuth2\Client\Provider\GenericProvider; $provider = new GenericProvider([ 'clientId' => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'clientSecret'

    => 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', 'redirectUri' => 'https://you.example.com/redirect-url', 'urlAuthorize' => 'https://them.example.net/authorize', 'urlAccessToken' => 'https://them.example.net/token', 'urlResourceOwnerDetails' => 'https://them.example.net/api/me' ]);
  36. Authorization Code 1. Commonly referred to as three-legged 2. Used

    in our Instagram example 3. Very common grant type
  37. Resource Owner Client Auth Server Resource Server

  38. Step 1 Resource Owner Client Auth Server Resource Server

  39. Step 2 Step 1 Resource Owner Client Auth Server Resource

    Server
  40. Step 3 Step 2 Step 1 Resource Owner Client Auth

    Server Resource Server
  41. Step 4 Step 3 Step 2 Step 1 Resource Owner

    Client Auth Server Resource Server
  42. 1. Gives username and password to client 2. Client exchanges

    them for access token 3. Use with extreme caution Resource Owner Password Credentials
  43. Resource Owner Client Auth Server Resource Server

  44. Step 1 Resource Owner Client Auth Server Resource Server

  45. Step 2 Step 1 Resource Owner Client Auth Server Resource

    Server
  46. Step 3 Step 2 Step 1 Resource Owner Client Auth

    Server Resource Server
  47. $accessToken = $provider->getAccessToken('password', [ 'username' => 'demouser', 'password' => 'testpass'

    ]);
  48. Client Credentials 1. Client is the resource owner 2. Credentials

    are stored in the client (usually safely on the server)
  49. Client Auth Server Resource Server

  50. Step 1 Client Auth Server Resource Server

  51. Step 2 Step 1 Client Auth Server Resource Server

  52. $accessToken = $provider->getAccessToken( 'client_credentials' );

  53. Implicit 1. Relies on client-side redirection using a client ID

    and a known redirection URL 2. league/oauth2-client cannot support this
  54. Toward a More Secure Web

  55. Next steps… 1. league/oauth2-client 2. league/oauth2-instagram 3. OAuth 2.0 with

    Instagram Example App 4. OAuth 2.0 specifications 5. oauth2-client provider packages 6. “Mastering OAuth 2.0” in Web Security 2016 7. Book: Integrating Web Services with OAuth and PHP
  56. Next steps…server league/oauth2-server

  57. THANK YOU. ANY QUESTIONS? If you want to talk more,

    feel free to contact me. benramsey.com @ramsey github.com/ramsey ben@benramsey.com Mastering OAuth 2.0 Copyright © 2017 Ben Ramsey This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International. For uses not covered under this license, please contact the author. Ramsey, Ben. “Mastering OAuth 2.0.” Day Camp 4 Developers. Web conference. 2 Jun. 2017. Conference presentation. This presentation was created using Keynote. The text is set in Chunk Five, Helvetica Neue, and Marker Felt. The source code is set in Menlo. The iconography is provided by Font Awesome. Unless otherwise noted, all photographs are used by permission under a Creative Commons license. Please refer to the Photo Credits slide for more information.
  58. Photo Credits 1. “Untitled” by MICⱵ^ΞL 2. “Master” by Giuditta

    3. “Untitled” by MICⱵ^ΞL 4. “Untitled” by MICⱵ^ΞL 5. “Untitled” by MICⱵ^ΞL 6. “master gain” by Chris Blakeley 7. “Mixing board” by Kevin Jaako 1 2 3 4 5 6 7