OAuth using PHP5
Download as KEY, PDF2 likes2,966 views
The document discusses OAuth, an open standard for authorization. It explains that OAuth aims to allow users to grant third-party access to their private resources (e.g. photos, videos, contacts) without sharing their passwords. The document outlines the OAuth workflow including registering an app, obtaining a request token, redirecting the user to authorize, and exchanging the request token for an access token. It also covers security aspects like tokens, timestamps, and digital signatures. Finally, it provides status on OAuth versions and libraries for implementing OAuth in applications.
![request token + secret from FE
if (@$_GET['f'] == 'start') {
// get a request token + secret from FE and redirect to the authorization
page
// START step 1
$fe = new FireEagle($fe_key, $fe_secret);
$tok = $fe->getRequestToken($fe_callback);
if (!isset($tok['oauth_token'])
|| !is_string($tok['oauth_token'])
|| !isset($tok['oauth_token_secret'])
|| !is_string($tok['oauth_token_secret'])) {
echo "ERROR! FireEagle::getRequestToken() returned an invalid
response. Giving up.";
exit;
}
$_SESSION['auth_state'] = "start";
$_SESSION['request_token'] = $token = $tok['oauth_token'];
$_SESSION['request_secret'] = $tok['oauth_token_secret'];
header("Location: ".$fe->getAuthorizeURL($token));
// END step 1](https://image.slidesharecdn.com/oauth-php-121105224947-phpapp02/85/OAuth-using-PHP5-54-320.jpg)
![} else if (@$_GET['f'] == 'callback') {
// the user has authorized us at FE, so now we can pick up our access token + secret
// START step 2
if (@$_SESSION['auth_state'] != "start") {
echo "Out of sequence.";
exit;
}
if ($_GET['oauth_token'] != $_SESSION['request_token']) {
echo "Token mismatch.";
exit;
}
if ((FireEagle::$FE_OAUTH_VERSION == OAUTH_VERSION_10A)
&& !isset($_GET['oauth_verifier'])) {
echo "OAuth protocol error. No verifier in response.";
exit;
}
$fe = new FireEagle($fe_key, $fe_secret, $_SESSION['request_token'], $_SESSION['request_secret']);
$tok = $fe->getAccessToken($_GET['oauth_verifier']);
if (!isset($tok['oauth_token']) || !is_string($tok['oauth_token'])
|| !isset($tok['oauth_token_secret']) || !is_string($tok['oauth_token_secret'])) {
error_log("Bad token from FireEagle::getAccessToken(): ".var_export($tok, TRUE));
echo "ERROR! FireEagle::getAccessToken() returned an invalid response. Giving up.";
exit;
}
$_SESSION['access_token'] = $tok['oauth_token'];
$_SESSION['access_secret'] = $tok['oauth_token_secret'];
$_SESSION['auth_state'] = "done";
header("Location: ".$_SERVER['SCRIPT_NAME']);
get access
// END step 2
token + secret](https://image.slidesharecdn.com/oauth-php-121105224947-phpapp02/85/OAuth-using-PHP5-57-320.jpg)
![// we have our access token + secret, so now we can actually *use* the api
// START step 3
$fe = new FireEagle($fe_key, $fe_secret, $_SESSION['access_token'], $_SESSION['access_secret']);
$loc = $fe->user(); // equivalent to $fe->call("user")
?><h2>Where you are<?php if ($loc->user->best_guess) echo ": ".htmlspecialchars($loc->user->best_guess-
>name) ?></h2><?php
if (empty($loc->user->location_hierarchy)) {
?><p>Fire Eagle doesn't know where you are yet.</p><?php // '
} else {
foreach ($loc->user->location_hierarchy as $location) {
switch ($location->geotype) {
case 'point':
$locinfo = "[".$location->latitude.", ".$location->longitude."]";
break;
case 'box':
$locinfo = "[[".$location->bbox[0][1].", ".$location->bbox[0][0]."], ["
.$location->bbox[1][1].", ".$location->bbox[1][0]."]]";
break;
default:
$locinfo = "[unknown]";
break;
}
if ($location->best_guess) $locinfo .= " BEST GUESS";
print "<h3>".htmlspecialchars($location->level_name).": ".htmlspecialchars($location->name)." $locinfo</h3>";
print "<ul>";
// turn location object into array, with sorted keys
$l = array(); foreach ($location as $k => $v) $l[$k] = $v; ksort($l);
foreach ($l as $k => $v) {
print "<li>".htmlspecialchars($k).": <b>".htmlspecialchars(var_export($v, TRUE))."</b></li>";
}
print "</ul>";
}
}](https://image.slidesharecdn.com/oauth-php-121105224947-phpapp02/85/OAuth-using-PHP5-59-320.jpg)
OAuth using PHP5
- 1. OAuth Nurulazrad Murad @azrad 3rd Nov 2012
- 3. look for “primus core”
- 4. topics
- 6. topics what is OAuth? writing a Consumer in PHP
- 7. traditionally, this is how we do it
- 9. onn ect! c user: azrad pass: secret
- 10. onn ect! c user: azrad pass: secret user: azrad pass: secret
- 11. onn ect! c user: azrad pass: secret user: azrad pass: secret user: azrad
- 13. you reveal your username and password
- 15. who using it?
- 16. who using it?
- 18. end user consumer application service provider
- 19. end user consumer application service provider
- 20. OAuth goal... oAuth is...
- 21. OAuth goal... oAuth is... Authentication • must logged-in to access the website/application
- 22. OAuth goal... oAuth is... Authentication • must logged-in to access the website/application Token-based authentication • logged-in user has unique token per application
- 24. OAuth goal... oAuth goal... be simple • standard for website API authentication • consistent for developers • easy for users to understand *
- 25. OAuth goal... oAuth goal... be simple • standard for website API authentication • consistent for developers • easy for users to understand * * this is hard
- 27. OAuth goal... oAuth goal... be secure • secure for users • easy to implement security features for developers • balance security with ease of use
- 29. OAuth goal... oAuth goal... be open • any website can implement OAuth • any developer can user OAuth • open source client libraries • published technical specifications
- 30. OAuth goal...
- 31. OAuth goal... be flexible • don’t need username and password • authentication method agnostic • can use OpenID (or not) • whatever works best for the web service • developers don’t need to handle auth
- 32. what the user end sees? example from Primus Core Helang Api
- 35. how does OAuth works?
- 36. register a consumer app
- 37. register a consumer app provide service provider with data about your application (name, url...)
- 38. register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret
- 39. register a consumer app provide service provider with data about your application (name, url...) service provider assigns consumer a consumer key and consumer secret service provider gives documentation of authorization URLs and methods
- 40. user consumer service provider
- 41. user consumer service provider click connect
- 42. user consumer service provider click connect request token
- 43. user consumer service provider click connect request token request token, request secret
- 44. user consumer service provider click connect request token request token, request secret redirect user to provider
- 45. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token
- 46. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier
- 47. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier
- 48. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token
- 49. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret
- 50. user consumer service provider click connect request token request token, request secret redirect user to provider user authorise request token redirect with verifier notifies app with verifier request token → access token access token, access secret request on user’s behalf
- 51. the codes
- 53. request token + secret from FE
- 54. request token + secret from FE if (@$_GET['f'] == 'start') { // get a request token + secret from FE and redirect to the authorization page // START step 1 $fe = new FireEagle($fe_key, $fe_secret); $tok = $fe->getRequestToken($fe_callback); if (!isset($tok['oauth_token']) || !is_string($tok['oauth_token']) || !isset($tok['oauth_token_secret']) || !is_string($tok['oauth_token_secret'])) { echo "ERROR! FireEagle::getRequestToken() returned an invalid response. Giving up."; exit; } $_SESSION['auth_state'] = "start"; $_SESSION['request_token'] = $token = $tok['oauth_token']; $_SESSION['request_secret'] = $tok['oauth_token_secret']; header("Location: ".$fe->getAuthorizeURL($token)); // END step 1
- 57. } else if (@$_GET['f'] == 'callback') { // the user has authorized us at FE, so now we can pick up our access token + secret // START step 2 if (@$_SESSION['auth_state'] != "start") { echo "Out of sequence."; exit; } if ($_GET['oauth_token'] != $_SESSION['request_token']) { echo "Token mismatch."; exit; } if ((FireEagle::$FE_OAUTH_VERSION == OAUTH_VERSION_10A) && !isset($_GET['oauth_verifier'])) { echo "OAuth protocol error. No verifier in response."; exit; } $fe = new FireEagle($fe_key, $fe_secret, $_SESSION['request_token'], $_SESSION['request_secret']); $tok = $fe->getAccessToken($_GET['oauth_verifier']); if (!isset($tok['oauth_token']) || !is_string($tok['oauth_token']) || !isset($tok['oauth_token_secret']) || !is_string($tok['oauth_token_secret'])) { error_log("Bad token from FireEagle::getAccessToken(): ".var_export($tok, TRUE)); echo "ERROR! FireEagle::getAccessToken() returned an invalid response. Giving up."; exit; } $_SESSION['access_token'] = $tok['oauth_token']; $_SESSION['access_secret'] = $tok['oauth_token_secret']; $_SESSION['auth_state'] = "done"; header("Location: ".$_SERVER['SCRIPT_NAME']); get access // END step 2 token + secret
- 59. // we have our access token + secret, so now we can actually *use* the api // START step 3 $fe = new FireEagle($fe_key, $fe_secret, $_SESSION['access_token'], $_SESSION['access_secret']); $loc = $fe->user(); // equivalent to $fe->call("user") ?><h2>Where you are<?php if ($loc->user->best_guess) echo ": ".htmlspecialchars($loc->user->best_guess- >name) ?></h2><?php if (empty($loc->user->location_hierarchy)) { ?><p>Fire Eagle doesn't know where you are yet.</p><?php // ' } else { foreach ($loc->user->location_hierarchy as $location) { switch ($location->geotype) { case 'point': $locinfo = "[".$location->latitude.", ".$location->longitude."]"; break; case 'box': $locinfo = "[[".$location->bbox[0][1].", ".$location->bbox[0][0]."], [" .$location->bbox[1][1].", ".$location->bbox[1][0]."]]"; break; default: $locinfo = "[unknown]"; break; } if ($location->best_guess) $locinfo .= " BEST GUESS"; print "<h3>".htmlspecialchars($location->level_name).": ".htmlspecialchars($location->name)." $locinfo</h3>"; print "<ul>"; // turn location object into array, with sorted keys $l = array(); foreach ($location as $k => $v) $l[$k] = $v; ksort($l); foreach ($l as $k => $v) { print "<li>".htmlspecialchars($k).": <b>".htmlspecialchars(var_export($v, TRUE))."</b></li>"; } print "</ul>"; } }
- 60. demo
- 61. where is info passed?
- 62. where is info passed? http authorisation header
- 63. where is info passed? http authorisation header http post request body (form params)
- 64. where is info passed? http authorisation header http post request body (form params) url query string parameters
- 65. security
- 66. security tokens: aren’t passing username/password
- 67. security tokens: aren’t passing username/password timestamp and nonce: very unique requests
- 68. security tokens: aren’t passing username/password timestamp and nonce: very unique requests signature: encrypted parameters help service provider recognise consumer
- 69. security tokens: aren’t passing username/password timestamp and nonce: very unique requests signature: encrypted parameters help service provider recognise consumer signature methods: HMAC-SHA1, RSA-SHA1, plaintext over a secure channel (SSL)
- 70. current status of OAuth
- 71. current status of OAuth oauth.net
- 72. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849)
- 73. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft
- 74. current status of OAuth oauth.net Auth 1.0 protocol (RFC 5849) OAuth 2.0 working draft several libraries for consumers and service providers
- 75. links OAuth spec http://oauth.net PECL Extension http://pecl.php.net/oauth Fireeagle http://fireeagle.yahoo.net FE library (PHP) https://github.com/myelin/fireeagle-php-lib
- 76. thanks! twitter: @azrad tumblr: nurulazrad.tumblr.com works at: www.primuscore.com
- 77. credit OAuth - Open API Authentication by leahculver on Dec 01, 2007 Implementing OAuth with PHP by Lorna Mitchell on May 17, 2011 Using OAuth with PHP by David Ingram on Nov 04, 2010
Editor's Notes
- #2: \n
- #3: \n
- #4: \n
- #5: \n
- #6: \n
- #7: \n
- #8: \n
- #9: \n
- #10: \n
- #11: \n
- #12: \n
- #13: \n
- #14: \n
- #15: \n
- #16: \n
- #17: \n
- #18: \n
- #19: \n
- #20: \n
- #21: \n
- #22: \n
- #23: \n
- #24: \n
- #25: \n
- #26: \n
- #27: \n
- #28: \n
- #29: \n
- #30: \n
- #31: \n
- #32: \n
- #33: \n
- #34: \n
- #35: \n
- #36: \n
- #37: \n
- #38: \n
- #39: \n
- #40: \n
- #41: \n
- #42: \n
- #43: \n
- #44: \n
- #45: \n
- #46: \n
- #47: \n
- #48: \n
- #49: \n
- #50: \n
- #51: \n
- #52: \n
- #53: \n
- #54: \n
- #55: \n
- #56: \n
- #57: \n
- #58: \n
- #59: \n
- #60: \n
- #61: \n
- #62: \n
- #63: \n
- #64: \n
- #65: \n
- #66: \n
- #67: \n
- #68: \n
- #69: \n
- #70: \n
- #71: \n
- #72: \n
- #73: \n
- #74: \n
- #75: \n
- #76: \n
- #77: \n
- #78: \n
- #79: \n
- #80: \n
- #81: \n
- #82: \n
- #83: \n
- #84: \n
- #85: \n
- #86: \n