using oauth with php
DESCRIPTION
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.TRANSCRIPT
Using OAuth with PHP
Dave Ingram
@dmi
4th November 2010
Coming up
• What is OAuth?
• How do you write a Consumer in PHP?
• What doesn’t OAuth do?
• Thoughts on being a Provider
What is OAuth anyway?
A long time ago, in a website not far away. . .
Connect!
Connect!
U:KittehLuvrP:hunter2
Connect!
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
Connect!
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
Connect!
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
Connect!
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
U:KittehLuvrP:hunter2
O HAI TWITTERLOOK AT MAHKITTEH LOL!
Full access
Full access
Fragile
Full access
Fragile
Revoking is painful
YOU REVEAL YOUR USERNAMEAND PASSWORD
YOUR USERNAMEAND PASSWORD
Who uses it?
Building a Consumer
To sign requests, you need:
Consumer keyConsumer secret
(Unique per application)
+
Access tokenAccess secret
(Unique per application user)
Step 1: Register with the provider
I would like my OAuthapplication toconsume your serviceplease, Mr. Provider.
Certainly. I just needto take a few detailsfrom you, and we’ll beall set.
OK. Here you go.
Consumer keyConsumer secret
Step 2: Write your applicationStep 3: ??????Step 4: Profit!
Step 2: Write your applicationStep 3: ??????Step 4: Profit!
User Consumer Provider
User clicks connect
User Consumer Provider
C C
Ask provider forrequest token
User Consumer Provider
C C
R R
Provider returnsrequest token and
request secret
User Consumer Provider
C C
R R
R
Redirect user to provider
User Consumer Provider
C C
R R
R
R
User logs in/authorisesapp
User Consumer Provider
C C
R R
R
R
V
Provider redirects userback to app with
verifier
User Consumer Provider
C C
R R
R
R
V
V
User’s arrival withverifier notifies app
User Consumer Provider
C C
R R
R
R
V
VC C R R V
App then exchangesrequest token for
access token
User Consumer Provider
C C
R R
R
R
V
VC C R R V
A AProvider returns
access token andaccess secret
User Consumer Provider
C C
R R
R
R
V
VC C R R V
A A
C C A A
App makes request onuser’s behalf
Get request token// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,
);
Get request token// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,
);
// Fetch the request token$response = $o->getRequestToken(
'https://api.twitter.com/oauth/request_token');
// Save for later exchange$_SESSION['req_token'] = $response['oauth_token'];$_SESSION['req_secret'] = $response['oauth_token_secr et'];
Get request token// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,
);
// Fetch the request token$response = $o->getRequestToken(
'https://api.twitter.com/oauth/request_token');
// Save for later exchange$_SESSION['req_token'] = $response['oauth_token'];$_SESSION['req_secret'] = $response['oauth_token_secr et'];
// Send user to provider's siteheader('Location: https://api.twitter.com/oauth/authorize' .
'?oauth_token='.$response['oauth_token']);
Get access token// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the request token$o->setToken($_SESSION['req_token'], $_SESSION['req_ secret']);
Get access token// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the request token$o->setToken($_SESSION['req_token'], $_SESSION['req_ secret']);
// Exchange request for access token (verifier is automatic )$response = $o->getAccessToken(
'https://api.twitter.com/oauth/access_token');
// Save access tokens for later use$current_user->saveTwitterTokens(
$response['oauth_token'],$response['oauth_token_secret'],
);
header('Location: /twitter-link-ok');
Access tokenAccess secret
Make API requests// Create OAuth client object$o = new OAuth(
MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1
);
// Sign requests with the access token$o->setToken(
$current_user->getTwitterToken(),$current_user->getTwitterSecret()
);
$args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!');
$oauth->fetch('https://api.twitter.com/v1/statuses/update.json',$args,OAUTH_HTTP_METHOD_POST
);
$json = json_decode($oauth->getLastResponse());printf("Result: %s\n", print_r($json, true));
What OAuth doesn’t do
No proof of server identity (use TLS)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No proof of server identity (use TLS)
No confidentiality (use TLS/SSL)
No open-source consumer
Thoughts on being aProvider
Very easy to be a Consumer
Very easy to be a Consumer
Many design decisions to make as a Provider
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to changeyour mind
Very easy to be a Consumer
Many design decisions to make as a Provider
A fair amount of work, and not always easy to changeyour mind
For example. . .
How large a range of timestamps do you allow?
How large a range of timestamps do you allow?
What permission granularity do you provide?
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particularconsumers? (e.g. Twitter)
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particularconsumers? (e.g. Twitter)
What about attacks? Phishing, DoS, clickjacking, CSRF
How large a range of timestamps do you allow?
What permission granularity do you provide?
What format and length are tokens/secrets?
Do you identify actions as coming from particularconsumers? (e.g. Twitter)
What about attacks? Phishing, DoS, clickjacking, CSRF
Beware proxying/caching (use the right headers!)
Links
OAuth Spec: http://oauth.net/
Intro/tutorial: http://hueniverse.com/
PECL extension: http://pecl.php.net/oauth/
Me: http://twitter.com/dmihttp://www.dmi.me.uk/talks/http://www.dmi.me.uk/code/php/
Slides: http://slideshare.net/ingramd