demystifying oauth2 for php
TRANSCRIPT
WHO DO YOU TRUST WITH YOUR USERNAME AND PASSWORD
WE NEED TO ACCESS DATA IN THE CLOUD
WE DONrsquoT WANT TO STORE THEIR USERNAMEPASSWORD
THERE MUST BE AN ANSWER
OPEN STANDARD FOR AUTHORIZATION V2
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
WE NEED TO ACCESS DATA IN THE CLOUD
WE DONrsquoT WANT TO STORE THEIR USERNAMEPASSWORD
THERE MUST BE AN ANSWER
OPEN STANDARD FOR AUTHORIZATION V2
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
WE DONrsquoT WANT TO STORE THEIR USERNAMEPASSWORD
THERE MUST BE AN ANSWER
OPEN STANDARD FOR AUTHORIZATION V2
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
THERE MUST BE AN ANSWER
OPEN STANDARD FOR AUTHORIZATION V2
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OPEN STANDARD FOR AUTHORIZATION V2
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
The framework for a secure link between
provider customer and us
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH PROVIDERSbull Amazon
bull Dropbox
bull Etsy
bull Evernote
bull Facebook
bull GitHub
bull Google
bull Instagram
bull LinkedIn
bull Microsoft
bull Paypal
bull Reddit
bull SalesForce
bull StackExchange
bull Stripe
bull Trello
bull Twitter
bull Vimeo
bull Yelp
httpsenwikipediaorgwikiList_of_OAuth_providers
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH IShellipbull an Authorization protocol
bull not an Authentication protocol
bull (from the perspective of the web developer)
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHORIZATION ldquoI GIVE YOU PERMISSIONrdquo
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHENTICATION ldquoI KNOW WHO YOU ARErdquo
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHENTICATING USERSbull Can OAuth be used to provide
ldquologin withhelliprdquo
bull NO OAuth is not an
authentication protocol
bull SOLUTION use OpenID Connect
(GoogleMicrosoft) or similar
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH GRANTSbull Authorization Code grant
bull Implicit grant
bull Resource owner credentials grant
bull Client credentials grant
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
WITHOUT OAUTH2
Web Developer Customer
Provider (ex Google API)
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
WITH OAUTH
Web Developer Customer
Provider (ex Google API)
OAuth2
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
WHO LIKES 100 GRANDS TWIX
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
Has stored them safely in escrow
Wants a 100 grand
100 GRAND ESCROW
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
httpwwwmrwallpapercomhungry-cat-wallpaper
Has decided to share ONE
Wants a 100 grand
100 GRAND ESCROW
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
Directs mehellip
hellipto Escrow Provider
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoIs it ok to sharewith Andrewrdquo
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoYesrdquo
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoYummyrdquoldquoYummyrdquo
Secret wordldquoYummyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
ldquoCrunchyrdquo
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
100 GRAND ESCROW
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
PROVIDER (EX GOOGLE)
Web Developer
Customer
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH PROCESSbull We redirect user to provider (GoogleFacebooketc)
bull User authorizes us
bull We obtain access token
bull We make requests with access token
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
THE CODESbull Authorization code is short-lived
bull It is the key to determine who the user is and what they gave
access to
bull Access token has a longer life
bull It is the key that gives access to the userrsquos resources
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
USERNAMEPASSWORD OAUTH2
Has no expiration (unless credentials change)
Access token has expiration
Able to access everything in account
Only can access authorized data
Can be used to maliciously take over an account
Access to data can be revoked at any time
Loosing the usernamepassword can mean all data is compromised
Loosing the access token can mean some data is compromised
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
THE PROVIDER
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
Users Developers
Provider
Client ID
Client Secret
Name
Allowed Scopes
Whitelisted Domains
TokensCodes
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
ID VS SECRETbull Both are for identifying who you are
bull Client ID ldquopublicrdquo key
bull Client Secret ldquoprivaterdquo key never to be sent through
userrsquos browser
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHORIZATION SERVERbull Registerslogs invalidates the user
bull Checks the client ID
bull Validates the scopes that we request access to and
ensures those fall within what we originally asked for
bull Asks the user whether it is acceptable to give access
bull Sends the authorization code through the user to us
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHORIZATION SERVERbull Looks up the authorization code
bull Generates the access token
bull Returns access token back to us
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
DO IT YOURSELFhellipbull httpsoauth2thephpleaguecom
bull As always an excellent package by the amazing PHP League
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
LETrsquoS SEE HOW IT IS DONE
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
PROVIDER GOOGLE
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
GOAL ACCESS LIST OF CUSTOMER FILES IN GOOGLE DRIVE
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
httpsgithubcom JosephMaxwell
OAuth2Implementation
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
ONLINE STEPSbull Go to httpconsoledevelopersgooglecom
bull Enable Drive API
bull Create OAuth Credentials
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
CONTINUINGbull Save the file as client_secretsjson in your websitersquos home
directory
bull Change the token_uri attribute to have this value
bull httpswwwgoogleapiscomoauth2v3token
bull Open https[domain_name]manual
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH IN PHPhellipldquoIf debugging is the process of removing software bugs
then programming must be the process of putting them inrdquo
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHORIZATION URLhttpsaccountsgooglecomooauth2auth
response_type=code
ampstate=RANDOM_GENERATED_CODE
ampredirect_uri=[callback_address]
ampscope=httpswwwgoogleapiscomauthdrivereadonly
ampstate=[generated_state_string]
ampclient_id=[client_id]
ampaccess_type=online
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
REFRESH TOKENSbull Refresh tokens are indefinite
bull Access tokens have an expiration
bull Refresh tokens are used to create new access tokens
bull access_type=offline to use refresh tokens
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
USER DOES THEIR MAGIC
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
THE CALLBACKbull Success ldquocoderdquo parameter contains authorization code
bull OpenID State key will be sent back
bull Error ldquoerrorrdquo parameter contains error message
GET authorizecode=4ASDFASDFASDFASDF123123123123 HTTP11 Host developersgooglecom
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
$client = new Client() $code = $_GET[code]
$params = [ code =gt $code grant_type =gt authorization_code client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() redirect_uri =gt $this-gthelper-gtgetCallbackUrl(selfAREA) ]
$url = ldquohttpswwwgoogleapiscomoauth2v4tokenrdquo
$response = $client-gtpost($url [form_params =gt $params])
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
access_token1asdf1234asdf1234asdf1234
expires_in3920
token_typeBearer
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
$client = new GuzzleHttpClient() $fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt lsquo[TOKEN_TYPE] [ACCESS_TOKEN]rsquo Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
Posted to httpswwwgoogleapiscomoauth2v4token $params = [ lsquorefresh_token =gt $refreshToken grant_type =gt refresh_token client_id =gt $this-gtconfig-gtgetClientId() client_secret =gt $this-gtconfig-gtgetClientSecret() ]
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
IN A LIBRARYhellipldquoThe best performance improvement is the transition from
the nonworking state to the working staterdquo (J Osterhout)
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
LIBRARYbull The PHP library
bull The PHP League OAuth2 Client
bull httpsgithubcomthephpleagueoauth2-client
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
INITIALIZATION$this-gtprovider = new Google([ clientId =gt $this-gtconfig-gtgetClientId() clientSecret =gt $this-gtconfig-gtgetClientSecret() redirectUri =gt $this-gthelper-gtgetCallbackUrl(selfAREA)])
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
AUTHORIZATION REDIRECT$url = $this-gtprovider-gtgetAuthorizationUrl( [scope =gt $configSCOPE] ) $_SESSION[oauth2_state] = $this-gtprovider-gtgetState() header(Location $url)
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
ACCESS TOKEN$token = $this-gtprovider-gtgetAccessToken( authorization_code [ code =gt $_GET[lsquocode] ] )
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
$fileResponse = $client-gtget( httpswwwgoogleapiscomdrivev2files [ headers =gt [ Authorization =gt $token-gtgetToken() Referer =gt httpoauth2implementationcom ] ] ) $files = new Files($fileResponse-gtgetBody())
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
DObull Protect against common security threats
bull Store random state key in the session and send that to
the provider
bull Store the access token securely
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
ACCESS TOKEN STORAGEbull Do you need to store access token
bull Encrypt it
bull Store it in the session or the DB
bull Maybe Store encryption key as cookie
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
IMPLICIT GRANTbull Used for client-side authorization
bull Access token is public
bull Resource access must be very limited
bull Access token is sent back with first round-trip to
authorization server
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
CLIENT CREDENTIALS GRANTbull Machine-to-machine authentication
bull Agreed-upon signature that has limited permissions
associated with it
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
INDUSTRY TERMINOLOGYbull Client the software we write
bull Resource Server website with which we will interact
bull ex Google API
bull Resource Owner the customer
bull ex the entity who uses our service to access their data
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
OAUTH RESOURCESbull Standard
bull httpstoolsietforghtmlrfc6749
bull Security httpstoolsietforghtmlrfc6819section-53
bull Google API
bull httpsdevelopersgooglecomidentityprotocolsOAuth2hl=en
bull httpsdevelopersgooglecomoauthplayground
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
THE STEPSbull Redirect user to provider (GoogleFacebooketc)
bull Provider authenticates user user authorizes us
bull We exchange authorization code for access token
bull We make requests with access token
QUESTIONS
GO FORTH AND CONNECT
QUESTIONS
GO FORTH AND CONNECT
GO FORTH AND CONNECT