Skip to main content

Open Source Bridge - OAuth: an Open Specification for Web Services

John Jawed - jawed@php.net
  • talk is about oauth at a high level and the problems it tries to solve
  • won't get low-level into the spec, etc.
  • problem - rasmus has private photos on flickr but wants to print them out using kodak's online photo printing service?
  • before oauth: have to give kodak your flickr user name and password
    • too powerful
      • can change passwords, delete photos, delete account
  • e.g. has anyone had to share their twitter u/p with another site to gain access?
  • how about some identifier issued by flickr to kodak?
    • would allow someone else to access your account but only with certain permissions and only for a certain length of time
  • for a few years we've had ...
    • yahoo bbauth
    • google authsub
    • aol openauth
    • windows live id
    • flickr token auth
    • many others
  • equivalent but different model -- drove the creation of oauth
  • the oauth dance
    • kodak sends rasmus to flickr
    • flickr asks rasmus: kodak wants to access your private photos
    • rasmus: sure!
    • flickr gives kodak a token with a secret
    • kodak makes api requests to flickr using the token/secret
    • fin
  • behind the scenes ...
    • timestamps
    • nonces
    • tokens
    • secrets
    • refresh tokens
    • signatures -- "ssl bastardized"
      • handy if requests aren't over https
  • yahoo big on openid and oauth
    • internal implementers at yahoo found oauth difficult to use
    • php.net/oauth designed to address problems with working with oauth
      • open source (bsd)
      • mature
      • supports tlaking to oauth apis
      • supports creating oauth apis
      • available as a php extension
  • code sample -- using oauth in php
    • start the session
    • create a new oauth object using api key
    • get request token using endpoint, e.g. twitter's request token url
    • redirect user to authentication url
    • after authentication, get an access token for interaction with the target service, e.g. twitter
    • fetch method in the oauth object handles all the token negotiation for you
  • to use oauth you don't need to understand the spec, just need to understand the flow
    • get request token (throw-away token)
    • get access token (token used to sign requests)
  • netflix example
    • pretty similar to twitter, but also need to pass user id
  • financial services example - wepay (paypal for groups)
    • similar paradigm--get request token, authorize access, get access token, interact with service
    • wepay also includes a verifier in addition to the tokens
  • example with no user
    • sign request with secret and api key--consumer key and consumer secret
  • what about accepting oauth in your API?
    • create oauthprovider object in php
    • get consumer key from caller, make sure it's still valid
    • three handlers
      • $provider->is2LeggedEndpoint()
      • $provider->consumerHandler()
      • $provider->timestampNonceHandler()
    • google: rasmus oauth to see full example walkthrough
  • oauth for php supports
    • all oauth paramer types
    • hmac-sha1, rsa-sha1
    • 1.0a
    • oauth extensions: session, problem reporting
    • setting millisecond request timeouts
    • and much more
  • oauth 2.0
    • still a work in progress
    • same token paradigm
    • profile-based (web, client, etc.)
    • oauth 1.0 with session extension
    • oauth 1.0 implementations will be around for a long time
    • will be supported in pecl/oauth
    • problem oauth 2.0 tries to solve is that oauth 1.0 is very browser-focused, lots of requests/redirects
      • support for non-browser flow, native client flow, etc.

Comments

Popular posts from this blog

Running a Django Application on Windows Server 2012 with IIS

This is a first for me since under normal circumstances we run all our Django applications on Linux with Nginx, but we're in the process of developing an application for another department and due to the requirements around this project, we'll be handing the code off to them to deploy. They don't have any experience with Linux or web servers other than IIS, so I recently took up the challenge of figuring out how to run Django applications on Windows Server 2012 with IIS.

Based on the dated or complete lack of information around this I'm assuming it's not something that's very common in the wild, so I thought I'd share what I came up with in case others need to do this.


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Assumptions and CaveatsThe operating system is Windows Server 2012 R2, 64-bit. If another variant of the operating system is being used, these instructions may not work properly.All of the soft…

Installing and Configuring NextPVR as a Replacement for Windows Media Center

If you follow me on Google+ you'll know I had a recent rant about Windows Media Center, which after running fine for about a year suddenly decided as of January 29 it was done downloading the program guide and by extension was therefore done recording any TV shows.

I'll spare you more ranting and simply say that none of the suggestions I got (which I appreciate!) worked, and rather than spending more time figuring out why, I decided to try something different.

NextPVR is an awesome free (as in beer, not as in freedom unfortunately ...) PVR application for Windows that with a little bit of tweaking handily replaced Windows Media Center. It can even download guide data, which is apparently something WMC no longer feels like doing.

Background I wound up going down this road in a rather circuitous way. My initial goal for the weekend project was to get Raspbmc running on one of my Raspberry Pis. The latest version of XBMC has PVR functionality so I was anxious to try that out as a …

Fixing DPI Scaling Issues in Skype for Business on Windows 10

My setup for my day job these days is a Surface Pro 4 and either an LG 34UC87M-B or a Dell P2715Q monitor, depending on where I'm working. This is a fantastic setup, but some applications have trouble dealing with the high pixel density and don't scale appropriately.
One case in point is Skype for Business. For some reason it scales correctly as I move between the Surface screen and the external monitor when I use the Dell, but on the LG monitor Skype is either massive on the external monitor, or tiny on the Surface screen.
After a big of digging around I came across a solution that worked for me, which is to change a setting in Skype's manifest file (who knew there was one?). On my machine the file is here: C:\Program Files\Microsoft Office\Office16\LYNC.EXE.MANIFEST
And the setting in question is this:
<dpiAware>True/PM</dpiAware>
Which I changed to this: <dpiAware>False/PM</dpiAware>
Note that you'll probably have to edit the file as administr…