OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me...
-
Upload
corey-plank -
Category
Documents
-
view
219 -
download
4
Transcript of OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me...
OAuth 2.0
By “PJ” (JP on meetup.com)
iOS and PHP developer, and occasional lawyer
Contact me via: [email protected]
OAuth 2.0
What I will cover:
Brief overview of OAuth 2.0 How all the concepts fit together
How you can use OAuth in your own projects i.e. API's, identity provider etc
Implementing Facebook into your projects
The players
Service Provider Client
User
Resources Server
User owns private data in resources server (eg. Personal details, photos)
Client wants to access user's data in resources server.
RS provides access to data via REST API endpoints.
Preliminary
Before anything happens, Client is registered with Service Provider so SP can recognize it Client is given a “client_id” and “secret_key”
Secret Key MUST never be exposed in public. Keep it within your php code – not in any client-side code eg.
javascript etc
Authorization Grant
3rd Party website (aka client or application) wants to access data owned by User but stored in Resource Server
Resource Server provides an endpoint so a client can get data
GET /me/photo → returns a private photo of User RS won't just give access to anyone. User must authorize client
to access private data
Service Provider (SP) provides 2 endpoints to facilitate authorization
GET /authorize ← Use first POST /token ← What client actually wants
Authorization Client will redirect user to SP's website @ /authorize endpoint.
User is no longer at client's website GET /authorize
Query parameters: “response_type” = 'code‘ “client_id” = <CLIENT_ID> “redirect_uri” = <REDIRECT_URI> “scope” = <what permissions client is asking user to give it>
SP will check if User gives Client permission. Either User had given permission in the past OR it will be asked to authorize
SP will redirect user to <REDIRECT_URI> (an endpoint on client's website). A “code” will be given. Or an “error”. These are query parameters. i.e. code=298e63d823b86e52a95
Token
That redirect endpoint isn't just an ordinary website URL. It must expect a code (or error) being returned amongst its query parameters
If there is no error, the client must quickly request a token.
POST /token “client_id” = <CLIENT_ID> “client_secret” = <SECRET KEY> “grant_type” = 'authorization code‘ “code” = <CODE FROM PRIOR REQUEST> “redirect_uri” = <SAME AS BEFORE>
Returns JSON array with “access_token” and “expires_on” OR “error” i.e. access_token=206c80413b9a96c1384463edd
Making API requests
Now that you have a token, you can call API requests on Resources Server
User can revoke authorization anytime
Token can expire (which means Client has to go through process of getting a new token)
The SP has a registrar of all the non-expired tokens and the corresponding client and scope permissions
Uses
Many other grant types Implicit Grant, Client Credentials, Refresh Token, Resource
Owner Password Credentials and many many more
You can use OAuth specifications for many projects ranging from identity provider to a web service where other 3rd parties can use your API You can design a SP You can design a client
Make sure SP (Resources Server if separate to SP) uses HTTPS connection
Facebook Connect/Graph API Allows users to log on to your site using their Facebook
account
Facebook allows 3rd party applications to access user's data (i.e. profile data such as name, age, gender etc)
Facebook allows you to make your website social-savvy
Make posts on user's timeline Access their friends list Grab their photos (like Tinder does)
Facebook Connect eHarmony gives you the option of
creating an account with them (traditional way)
Login using an account registered with them
Login using facebook connect
The site never needs to know user's password
Account registration in your database
Traditionally:
Using Facebook:
FB guarantees every fb account will have a UNIQUE fb_id
No need for a password
You can save token in a session if you want
Initial Setting up
PHP – install and configure
Install SDK using composer: require “facebook/php-sdk”
Step 1 – website link to open dialog
You can put $loginUrl in your view:
<a href=”<?= $loginUrl ?>”>Connect using Facebook</a>
'scope' determines what permissions your app requires from the user. Facebook will ask the user to authorize your app to use those permissions. (i.e. 'scope' => 'read_stream, user_photos')
$loginUrl will contain client_id, scope, redirect_uri as query params
Objective
1. On Website: Work out the correct URL for the facebook login dialog box to appear
You must pass information to it such as client_id, scope, redirect_uri, state etc
2. Once user logs on, you need to grab user's fb_id
Check if fb_id already exists in your records NO: New registration YES: Prior registered customer
3. Get and Store token to make future api requests
Step 2 – get fb_id
$facebook->getUser() will return fb_id. Check if that user already exists in your db.
YES: Great! You have their personal details already stored + Token
NO: Use api to get basic details of user and create new account
Step 2 – contd.
$user_profile contains an array which contains information about the user. You can use this information to populate your database records of your user base
Step 3 – Storing the token
You don't technically need to store the token because the SDK takes care of it in the behind the scenes.
$facebook->getUser(), before returning the fb_id does many things behind the scenes
Gets access code, exchanges it for token, saves token in session and finally returns the fb_id
BUT if you don't store the token yourself, you must always ask the user to log in, in order for SDK to do everything behind the scenes. If you have the token, you can also access Graph API without facebook SDK.
You can store token yourself: $facebook->getAccessToken();
Step 4 – Using access token
You don't need access token. SDK provides method that will access Graph API conveniently
$facebook->api($url, $method, $parameters)
But you can use API manually(HTTP REST API) . All the endpoints and documentation are online.
You obviously must sign the HTTP request with the token in the body (access_token=<$token>) or possibly header
References
https://knpuniversity.com/screencast/oauth/intro
http://25labs.com/tutorial-integrate-facebook-connect-to-your-website-using-php-sdk-v-3-x-x-which-uses-graph-api/
Facebook documentation and sample code
Next Month
I will give an introduction to Amazon Web Services (AWS)
Relatively cheap
There is a steep initial learning curve but after you get the 'hang of it', it is easy and therefore worth it
Makes your site ready for scaling so if your website/service explodes in popularity, you'll be instantly ready
I will discuss products: S3, EC2, Route 53, RDS, ELB and Elastic Beanstalk
I won't discuss CloudFront (since I've never used it)
Those are the key products a PHP developer needs