Using OAuth with PHP

Dave Ingram

@dmi

4th November 2010

Coming up

• What is OAuth?

• How do you write a Consumer in PHP?

• What doesn’t OAuth do?

• Thoughts on being a Provider

What is OAuth anyway?

A long time ago, in a website not far away. . .

Connect!

Connect!

U:KittehLuvrP:hunter2

Connect!

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

Connect!

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

Connect!

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

Connect!

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

U:KittehLuvrP:hunter2

O HAI TWITTERLOOK AT MAHKITTEH LOL!

Full access

Full access

Fragile

Full access

Fragile

Revoking is painful

YOU REVEAL YOUR USERNAMEAND PASSWORD

YOUR USERNAMEAND PASSWORD

Who uses it?

Building a Consumer

To sign requests, you need:

Consumer keyConsumer secret

(Unique per application)

+

Access tokenAccess secret

(Unique per application user)

Step 1: Register with the provider

I would like my OAuthapplication toconsume your serviceplease, Mr. Provider.

Certainly. I just needto take a few detailsfrom you, and we’ll beall set.

OK. Here you go.

Consumer keyConsumer secret

Step 2: Write your applicationStep 3: ??????Step 4: Profit!

Step 2: Write your applicationStep 3: ??????Step 4: Profit!

User Consumer Provider

User clicks connect

User Consumer Provider

C C

Ask provider forrequest token

User Consumer Provider

C C

R R

Provider returnsrequest token and

request secret

User Consumer Provider

C C

R R

R

Redirect user to provider

User Consumer Provider

C C

R R

R

R

User logs in/authorisesapp

User Consumer Provider

C C

R R

R

R

V

Provider redirects userback to app with

verifier

User Consumer Provider

C C

R R

R

R

V

V

User’s arrival withverifier notifies app

User Consumer Provider

C C

R R

R

R

V

VC C R R V

App then exchangesrequest token for

access token

User Consumer Provider

C C

R R

R

R

V

VC C R R V

A AProvider returns

access token andaccess secret

User Consumer Provider

C C

R R

R

R

V

VC C R R V

A A

C C A A

App makes request onuser’s behalf

Get request token// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,

);

Get request token// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,

);

// Fetch the request token$response = $o->getRequestToken(

'https://api.twitter.com/oauth/request_token');

// Save for later exchange$_SESSION['req_token'] = $response['oauth_token'];$_SESSION['req_secret'] = $response['oauth_token_secr et'];

Get request token// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY,MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1,

);

// Fetch the request token$response = $o->getRequestToken(

'https://api.twitter.com/oauth/request_token');

// Save for later exchange$_SESSION['req_token'] = $response['oauth_token'];$_SESSION['req_secret'] = $response['oauth_token_secr et'];

// Send user to provider's siteheader('Location: https://api.twitter.com/oauth/authorize' .

'?oauth_token='.$response['oauth_token']);

Get access token// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1

);

// Sign requests with the request token$o->setToken($_SESSION['req_token'], $_SESSION['req_ secret']);

Get access token// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1

);

// Sign requests with the request token$o->setToken($_SESSION['req_token'], $_SESSION['req_ secret']);

// Exchange request for access token (verifier is automatic )$response = $o->getAccessToken(

'https://api.twitter.com/oauth/access_token');

// Save access tokens for later use$current_user->saveTwitterTokens(

$response['oauth_token'],$response['oauth_token_secret'],

);

header('Location: /twitter-link-ok');

Access tokenAccess secret

Make API requests// Create OAuth client object$o = new OAuth(

MY_CONSUMER_KEY, MY_CONSUMER_SECRET,OAUTH_SIG_METHOD_HMACSHA1

);

// Sign requests with the access token$o->setToken(

$current_user->getTwitterToken(),$current_user->getTwitterSecret()

);

$args = array('status'=>'O HAI TWITTER LOOK AT MAH KITTEH LOL!');

$oauth->fetch('https://api.twitter.com/v1/statuses/update.json',$args,OAUTH_HTTP_METHOD_POST

);

$json = json_decode($oauth->getLastResponse());printf("Result: %s\n", print_r($json, true));

What OAuth doesn’t do

No proof of server identity (use TLS)

No proof of server identity (use TLS)

No confidentiality (use TLS/SSL)

No proof of server identity (use TLS)

No confidentiality (use TLS/SSL)

No open-source consumer

Thoughts on being aProvider

Very easy to be a Consumer

Very easy to be a Consumer

Many design decisions to make as a Provider

Very easy to be a Consumer

Many design decisions to make as a Provider

A fair amount of work, and not always easy to changeyour mind

Very easy to be a Consumer

Many design decisions to make as a Provider

A fair amount of work, and not always easy to changeyour mind

For example. . .

How large a range of timestamps do you allow?

How large a range of timestamps do you allow?

What permission granularity do you provide?

How large a range of timestamps do you allow?

What permission granularity do you provide?

What format and length are tokens/secrets?

How large a range of timestamps do you allow?

What permission granularity do you provide?

What format and length are tokens/secrets?

Do you identify actions as coming from particularconsumers? (e.g. Twitter)

How large a range of timestamps do you allow?

What permission granularity do you provide?

What format and length are tokens/secrets?

Do you identify actions as coming from particularconsumers? (e.g. Twitter)

What about attacks? Phishing, DoS, clickjacking, CSRF

How large a range of timestamps do you allow?

What permission granularity do you provide?

What format and length are tokens/secrets?

Do you identify actions as coming from particularconsumers? (e.g. Twitter)

What about attacks? Phishing, DoS, clickjacking, CSRF

Beware proxying/caching (use the right headers!)

Links

OAuth Spec: http://oauth.net/

Intro/tutorial: http://hueniverse.com/

PECL extension: http://pecl.php.net/oauth/

Me: http://twitter.com/dmihttp://www.dmi.me.uk/talks/http://www.dmi.me.uk/code/php/

Slides: http://slideshare.net/ingramd