Intro to OAuthMatt Frost

@shrtwhitebldguy https://joind.in/12717

Who Am I?• Community Member

• Author

• OSS Contributor

• Mentoring Proponent

• Podcast co-host

What is OAuth?

Tokens

Statelessness

Applications have tokens too

So what you’re saying is…

Yep!

Tokens can be stolen though

This is bad

Good news though!

There are different versions

Technically OAuth 1 is deprecated

Just like the mysql extension

You’re probably going to run into it at some point anyway….

So here’s the plan

OAuth 1.0Client

So we need tokens, right?

Token Definitions

Consumer Tokens

Temporary Credentials

Access Tokens

Token Request Flow

Super simple right?

https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

Let’s break this down, eh?

You need an application

Request the temporary tokens

If you signed it right…

You’ll have temporary credentials

You now use these to request Access Tokens

If you sign that request right…

You’ll have your actual Access Tokens!

You can store them in a session or database and use them now!

Remember all that signing talk?

This is the hardest part…

Base String

<?php!!

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];

<?php!!

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => ‘1.0',!! ‘oauth_verifier’ => ‘xxxxxxxxx’!];

If you have an OAuth Verifier

HTTP Method and URI

Let’s see how this actually works

<?php!$httpMethod = 'POST';!$uri = ‘http://api.example.com/request_tokens';!!$params = [! 'oauth_nonce' => $this->getNonce(),! 'oauth_callback' => $this->getCallback(),! 'oauth_signature_method' => $this->getSignatureMethod(),! 'oauth_timestamp' => time(),! ‘oauth_consumer_key' => $this->getConsumerKey(),! 'oauth_token' => ‘',! 'oauth_version' => '1.0',!];!!$tempArray = [];!ksort($params);!foreach($params as $key => $value) {!! $tempArray[] = $key . '=' . rawurlencode($value);!}!!$baseString = $httpMethod . '&';!$baseString .= rawurlencode($uri) . '&';!$baseString .= implode('&', $tempArray);

Composite KeyThis is way easier…

Cram the 2 secrets together…

$consumer_secret = 'VERYSECRETZ';!$access_secret = 'SUCHSECURITY';!!

$composite_key = rawurlencode($consumer_secret) .'&'. rawurlencode($access_secret);

Signing with HMAC-SHA1

$signature = base64_encode(hash_hmac(!! 'sha1',!! $baseString,!! $compositeKey,!! true!));

Here’s your signature!

There are other signature types but…

However…

Authorization Header

$params = [! 'oauth_nonce' => $this->getNonce(),!! 'oauth_callback' => $this->getCallback(),!! 'oauth_signature_method' => $this->getSignatureMethod(),!! 'oauth_timestamp' => time(),!! 'oauth_consumer_key' => $this->getConsumerKey(),!! 'oauth_token' => '',!! 'oauth_version' => '1.0',!];!!

$params[‘oauth_signature’] = $signature;

You probably remember this array?

$header = “Authorization: OAuth “;!$tempArray = [];!!

foreach($params as $key => $value) {! $tempArray[] = $key . ‘=“‘. rawurlencode($value);!}!!

$header .= implode(‘,’, $tempArray);!

We’ve seen similar code before…

Authorization: OAuth oauth_consumer_key="xxxxxxxxx", oauth_nonce="fklj2324kljfksjf234k", oauth_signature="8xJAdrE00wGH21w87P6N%2F8c0XZfeo%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1399488541", oauth_token="xxxxxxxxx", oauth_version="1.0"

This is the final result

Whew! That was some work

OAuth 2Client

Good news!

No signatures

Must use SSL/TLS

Consumer Credentials

Access Token

Grants

Authorization Code Grant

Authorization example - Foursquare

http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=code&redirect_uri=htt

p://oauth.dev/examples/Foursquare/callback.php

Token Request

http://oauth.dev/examples/Foursquare/callback.php?

code=<CODE>

https://foursquare.com/oauth2/access_token?client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>&code=<CODE>&callback=http://oauth.dev/examples/Foursquare/callback.php&grant_type=authorization_code

If you can use this, you should

Implicit Grant

http://foursquare.com/oauth2/authenticate?client_id=XXXXXXXXX&response_type=token&redirect_uri=ht

tp://oauth.dev/examples/Foursquare/callback.php

Resource Owner Credentials Grant

Client Credentials Grant

Scopes

“Scopes” in OAuth 1

Scopes in OAuth 2

Important Note on Scopes

Provides an ACL Framework

Refresh Tokens

Same Scope

What can we do with this?

Access data from APIs

Move Authentication Elsewhere a.k.a Single Sign On

So this works everywhere right?

Well…sorta

Useful reading OAuth 1 https://tools.ietf.org/html/rfc5849 OAuth 2 https://tools.ietf.org/html/rfc6749

Thanks! Questions?