oauth php app

Implementing OAuth

About Me

2

• Lorna Jane Mitchell

• PHP Consultant/Developer

• Occasional writer/speaker/trainer

• Twitter: @lornajane

• Website: http://lornajane.net

http://lornajane.net

About Me

2

• Lorna Jane Mitchell

• PHP Consultant/Developer

• Occasional writer/speaker/trainer

• Twitter: @lornajane

• Website: http://lornajane.net

• I am excited about OAuth :)

http://lornajane.net

About This Talk

3

• Covering OAuth1 and OAuth2

• OAuth1 needs more explanation

• OAuth v1.0a is current stable

• OAuth2 in use by Google, Facebook and others

• Ask questions at any time

About OAuth

4

• Provider has User data

• User wants data to be available to 3rd party

• User tells Provider to grant access to Consumer

• Access may be limited

• User can revoke at any time

• Provider can distinguish between User and Consumer

OAuth Terminology

5

Provider The app with the interesting data

Consumer The app that wants the data

User Who the data belongs to

Token Random string

Secret Another random string, linked to a token

Verifier Another random string

OAuth HowTo

OAuth Dance

7

Dance Steps

8

• Step 0: Register as a consumer

• Step 1: Get a request token

• Step 2: Send the user to authenticate

• Step 3: Swap their verification for an access token

• Step 4: Consume data

Step 0: Register

9

• Akin to registering for an API key

• Introduce the Provider and Consumer

Step 1: Get A Request Token

10

Consumer asks for a request token from the Provider’s request tokenendpoint, specifying the callback URL

We give the token to the user and send them to log in

Step 2: User Grants Access

11

We send the user to the Provider, with the request token, to log in

Step 2: User Grants Access

11

We send the user to the Provider, with the request token, to log in

The Provider returns them to us, at the callback URL, with a verifier code

Devices Where Callback Won’t Work

12

It is hard to forward a user from a browser back to an app

• Instead we use "oob" as the callback parameter

• Provider displays verifier on screen

• User types code into app manually

Step 3: Get an Access Token

13

Consumer makes a request to Provider’s access token endpoint with:

• Consumer key

• Request token

• Verifier

OAuth Theory

Transmitting OAuth Parameters

15

We have three choices:

• As query parameters on the URL

• Use an Authorization Header

• Include the data as POST data

OAuth Request Token Fields

16

Asking for a request token looks like this:

https://api.login.yahoo.com/oauth/v2/get_request_token?oauth_nonce=ce2130523f788f313f763 14ed3965ea6&oauth_timestamp=1202956957&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=abcdef&oauth_version=1.0&oauth_callback="http://yoursite.com/callback"

http://developer.yahoo.com/oauth/guide/oauth-requesttoken.html

We supplied the oauth_consumer_key and oauth_callback but what are theseother fields?

http://developer.yahoo.com/oauth/guide/oauth-requesttoken.html


17

• signature method: How the request is signed. Typicallyplaintext or HMAC-SHA1

http://bit.ly/gTJGPZ


17


• nonce: Cryptographic term meaning "Number Used Once". Wethink of a number, then throw it away



17



• timestamp: Number of seconds since the epoch



17




• version: 1.0 in this instance (more on OAuth2 later)



17





• signature:



17





• signature:

If you care, read this: http://bit.ly/gTJGPZ


Practical Examples

OAuth Tools

19

PHP tools for OAuth:

• Pecl OAuth

• http://uk2.php.net/manual/en/class.oauth.php

• Talk examples use this

• Zend OAuth

• http://framework.zend.com/manual/en/zend.oauth.html

http://uk2.php.net/manual/en/class.oauth.php

http://framework.zend.com/manual/en/zend.oauth.html

Providing and Consuming OAuth

20

• Consuming:

• relatively easy

• used for authenticating against e.g. twitter

• Providing:

• more overhead than consuming

• great way to give access to applications

• needs multiple pages and endpoints as well as the API itself

Provider code with dark background

Consumer code with a blue background

Provider: Auxiliary Web Pages

21

There are some additional functions to provide as a provider:

• Consumer signup page, like an API key

• User authorisation step to allow/deny access for this consumer

• Rights management page so users can control/revoke access later

Provider: Step 0, Consumer Keys

22

This is straightforward

• Generate a key and a secret, store them

• Return them to the consumer to use

• Can use OAuth libraries, or not

$hash = sha1( mt_rand ()); // there are many ways to do this$consumer_key = substr ($hash,0,30);$consumer_secret = substr ($hash,30,10);

Provider: Handling OAuth Requests With Pecl

23

For every incoming request, for tokens and in normal operation, we’ll havecode like this:

$this->provider = new OAuthProvider();

// set names of functions to be called by the extension$this->provider->consumerHandler( array ($this, 'lookupConsumer' ));$this->provider->timestampNonceHandler(

array ($this, 'timestampNonceChecker' ));$this->provider->tokenHandler( array ($this, 'tokenHandler' ));

// no access token needed for this URL only$this->provider->setRequestTokenPath( '/v2/oauth/request_token' );

$this->provider->checkOAuthRequest();

Step 1

24

Consumer Providerrequest token, request secret

consumer key, callback

Consumer: Step 1, Request Token

25

$config = array ();

$config[ 'request_uri' ] = 'http://api.local/v2/oauth/request_token' ;$config[ 'consumer_key' ] = 'akey' ;$config[ 'consumer_secret' ] = 'asecret' ;

$oauth = new OAuth($config[ 'consumer_key' ],$config[ 'consumer_secret' ]);

$oauth->setAuthType(OAUTH_AUTH_TYPE_URI);$req = $oauth->getRequestToken($config[ 'request_uri' ], "oob" );

Provider: Step 1, Request Token Request

26

• Check oauth signature and consumer key

• Generate a request token and store it

• Return the request token

Provider: Step 1, Generate Request Token

27

Retrieve the callback, and make the token and secret:

// remember we're in URI modeparse_str($_SERVER[ 'QUERY_STRING' ], &$parameters);$callback = $parameters[ 'oauth_callback' ];$request_token = bin2hex ($provider->generateToken(4));$request_token_secret = bin2hex ($provider->generateToken(12));

We then simply echo the resulting variables in query format, e.g.

echo 'login_url = http://api.joindin.local/user/oauth_allo w?' .'request_token = ' . $request_token .'&request_token_secret = ' . $request_token_secret .'&oauth_callback_confirmed = true' ;

Storing Request Tokens

28

Storage is simple, again, you know all this

+----------------------+--------------+| Field | Type |+----------------------+--------------+| id | int(11) || consumer_key | varchar(30) || request_token | varchar(8) || request_token_secret | varchar(32) || callback | varchar(400) || verification | varchar(20) || authorised_user_id | int(11) || created_date | timestamp |+----------------------+--------------+

Step 2, User Grants Access

29

User grants access

Provider: Step 2, Granting/Denying Access

30

User grants access:

• store user id against request token

• generate a verifier code and store that too

User denies access:

• delete request token

Step 2, For Devices

31

Instead of forwarding the user, give them a code to use

Step 3

32

Consumer Provideraccess token

consumer key,request token, verifier

Consumer: Step 3, Request an Access Token

33


// request token, request token secret and verification all set// by earlier steps, and loaded into $configtry{

$oauth->setToken($config[ 'request_token' ],$config[ 'request_token_secret' ]);

$access = $oauth->getAccessToken($config[ 'access_uri' ], null,$config[ 'verification' ]);

} catch (OAuthException $e) {echo $e->getMessage();

}

Provider: Step 3, Generate Access Token

34

Generate and store access token and secret, then return:

echo "oauth_token=" . $tokens[ 'oauth_token' ]. '&oauth_token_secret=' . $tokens[ 'oauth_token_secret' ];

Storing Access Tokens

35

+---------------------+-------------+| Field | Type |+---------------------+-------------+| id | int(11) || consumer_key | varchar(30) || access_token | varchar(16) || access_token_secret | varchar(32) || user_id | int(11) || created_date | timestamp || last_used_date | datetime |+---------------------+-------------+

Step 4

36

Consumer ProviderAPI response

consumer key,access token, API request

Consumer: Step 4, Subsequent Requests

37


// from the getAccessToken call$oauth->setToken($oauth_token, $oauth_token_secret);$result = $oauth->fetch( "http://api.local/usual/call/here" );if ($result) {

$response = $oauth->getLastResponse();}

Debugging

38

• For pecl_oauth:

• Use OAuth::enableDebug() to turn on verbose debugging

• The debug information is available in OAuth::debugInfo

• For the provider, use OAuthProvider::reportProblem()

• Wireshark or Charles Proxy

• http://www.wireshark.org/

• http://www.charlesproxy.com/

http://www.wireshark.org/

http://www.charlesproxy.com/

Other OAuth Types

3-legged OAuth

40

So far we have discussed 3-legged OAuth

• Three parties are involved

• Consumer

• Provider

• User

2-legged OAuth

41

2-legged OAuth is also an option

• Only two parties involved now

• Provider

• User/Client

• Step 0: User signs up for credentials similar to consumer key/secret

• Step 4: User makes request using

• their key and secret

• empty token details

OAuth 2

42

• Same principles and intention

• Spec still at draft stage officially

• Used by Google, Facebook and others

• Aims to be less complicated than OAuth 1

• Intended to be more scalable - provider split into resources and authservers

• No signing, SSL recommended instead

OAuth2 Outline

43

+--------+ +---------------+| |--(A)- Authorization Request ->| Resource || | | Owner || |<-(B)-- Authorization Grant ---| || | +---------------+| || | Authorization Grant & +---------------+| |--(C)--- Client Credentials -->| Authorization || Client | | Server || |<-(D)----- Access Token -------| || | +---------------+| || | +---------------+| |--(E)----- Access Token ------>| Resource || | | Server || |<-(F)--- Protected Resource ---| |+--------+ +---------------+

Diagram from OAuth2 spechttp://tools.ietf.org/html/draft-ietf-oauth-v2-15

http://tools.ietf.org/html/draft-ietf-oauth-v2-15

Authorization Grant

44

Can take many forms

• Username and password

• used once to obtain an access token

• or just used as access token

• Client credentials

• client has prearranged access to the resource

• Implicit

• an access token provided some other way

• Authorization Code

• similar to OAuth 1, send user to talk to Auth Server and getverification codes

Access Tokens and Refresh Tokens

45

Refresh Tokens are an optional addition to OAuth 2

• Auth Server can return a refresh token with an access token

• Refresh token has longer validity

• Can be exchanged for an access token when combined with otherdetails

• Compare with re-entering your password at intervals

The State of OAuth

46

• OAuth 1

• already in use

• a faff!

• OAuth 2

• still being finalised

• different approach to same problem

Questions?

Resources

48

• PHP Manual: http://uk2.php.net/manual/en/book.oauth.php

• Rasmus’ OAuth Provider Example: http://bit.ly/i76Tzx

• Yahoo Developer Network Documentation:http://developer.yahoo.com/oauth/guide/

• Eran Hammer-Lahav’s blog: http://hueniverse.com

• 2-legged OAuth post: http://bit.ly/ejQRoK

• OAuth 2 Draft Spec:http://tools.ietf.org/html/draft-ietf-oauth-v2-15

http://uk2.php.net/manual/en/book.oauth.php

http://bit.ly/i76Tzx

http://developer.yahoo.com/oauth/guide/

http://hueniverse.com

http://bit.ly/ejQRoK

http://tools.ietf.org/html/draft-ietf-oauth-v2-15

Thanks!

49

Thanks!http://joind.in/3243/

@lornajane

http://lornajane.net/

http://joind.in/3243/

http://lornajane.net/

oauth php app

Technology