Open Source Bridge - OAuth: an Open Specification for Web Services
John Jawed - jawed@php.net
- talk is about oauth at a high level and the problems it tries to solve
- won't get low-level into the spec, etc.
- problem - rasmus has private photos on flickr but wants to print them out using kodak's online photo printing service?
- before oauth: have to give kodak your flickr user name and password
- too powerful
- can change passwords, delete photos, delete account
- too powerful
- e.g. has anyone had to share their twitter u/p with another site to gain access?
- how about some identifier issued by flickr to kodak?
- would allow someone else to access your account but only with certain permissions and only for a certain length of time
- for a few years we've had ...
- yahoo bbauth
- google authsub
- aol openauth
- windows live id
- flickr token auth
- many others
- equivalent but different model -- drove the creation of oauth
- the oauth dance
- kodak sends rasmus to flickr
- flickr asks rasmus: kodak wants to access your private photos
- rasmus: sure!
- flickr gives kodak a token with a secret
- kodak makes api requests to flickr using the token/secret
- fin
- behind the scenes ...
- timestamps
- nonces
- tokens
- secrets
- refresh tokens
- signatures -- "ssl bastardized"
- handy if requests aren't over https
- yahoo big on openid and oauth
- internal implementers at yahoo found oauth difficult to use
- php.net/oauth designed to address problems with working with oauth
- open source (bsd)
- mature
- supports tlaking to oauth apis
- supports creating oauth apis
- available as a php extension
- code sample -- using oauth in php
- start the session
- create a new oauth object using api key
- get request token using endpoint, e.g. twitter's request token url
- redirect user to authentication url
- after authentication, get an access token for interaction with the target service, e.g. twitter
- fetch method in the oauth object handles all the token negotiation for you
- to use oauth you don't need to understand the spec, just need to understand the flow
- get request token (throw-away token)
- get access token (token used to sign requests)
- netflix example
- pretty similar to twitter, but also need to pass user id
- financial services example - wepay (paypal for groups)
- similar paradigm--get request token, authorize access, get access token, interact with service
- wepay also includes a verifier in addition to the tokens
- example with no user
- sign request with secret and api key--consumer key and consumer secret
- what about accepting oauth in your API?
- create oauthprovider object in php
- get consumer key from caller, make sure it's still valid
- three handlers
- $provider->is2LeggedEndpoint()
- $provider->consumerHandler()
- $provider->timestampNonceHandler()
- google: rasmus oauth to see full example walkthrough
- oauth for php supports
- all oauth paramer types
- hmac-sha1, rsa-sha1
- 1.0a
- oauth extensions: session, problem reporting
- setting millisecond request timeouts
- and much more
- oauth 2.0
- still a work in progress
- same token paradigm
- profile-based (web, client, etc.)
- oauth 1.0 with session extension
- oauth 1.0 implementations will be around for a long time
- will be supported in pecl/oauth
- problem oauth 2.0 tries to solve is that oauth 1.0 is very browser-focused, lots of requests/redirects
- support for non-browser flow, native client flow, etc.
