Presentation is loading. Please wait.

Presentation is loading. Please wait.

OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

Published byCorey Plank Modified over 9 years ago

Similar presentations

Presentation on theme: "OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:"— Presentation transcript:

1 OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via: pj@pjebs.com.au

2 OAuth 2.0 What I will cover: Brief overview of OAuth 2.0 How all the concepts fit together How you can use OAuth in your own projects i.e. API's, identity provider etc Implementing Facebook into your projects

3 The players Service Provider Client User Resources Server User owns private data in resources server (eg. Personal details, photos) Client wants to access user's data in resources server. RS provides access to data via REST API endpoints.

4 Preliminary Before anything happens, Client is registered with Service Provider so SP can recognize it Client is given a “client_id” and “secret_key” Secret Key MUST never be exposed in public. Keep it within your php code – not in any client-side code eg. javascript etc

5 Authorization Grant 3 rd Party website (aka client or application) wants to access data owned by User but stored in Resource Server Resource Server provides an endpoint so a client can get data GET /me/photo → returns a private photo of User RS won't just give access to anyone. User must authorize client to access private data Service Provider (SP) provides 2 endpoints to facilitate authorization GET /authorize ← Use first POST /token ← What client actually wants

6 Authorization Client will redirect user to SP's website @ /authorize endpoint. User is no longer at client's website GET /authorize Query parameters: “response_type” = 'code‘ “client_id” = “redirect_uri” = “scope” = SP will check if User gives Client permission. Either User had given permission in the past OR it will be asked to authorize SP will redirect user to (an endpoint on client's website). A “code” will be given. Or an “error”. These are query parameters. i.e. code=298e63d823b86e52a95

7 Token That redirect endpoint isn't just an ordinary website URL. It must expect a code (or error) being returned amongst its query parameters If there is no error, the client must quickly request a token. POST /token “client_id” = “client_secret” = “grant_type” = 'authorization code‘ “code” = “redirect_uri” = Returns JSON array with “access_token” and “expires_on” OR “error” i.e. access_token=206c80413b9a96c1384463edd

8 Making API requests Now that you have a token, you can call API requests on Resources Server User can revoke authorization anytime Token can expire (which means Client has to go through process of getting a new token) The SP has a registrar of all the non-expired tokens and the corresponding client and scope permissions

9 Uses Many other grant types Implicit Grant, Client Credentials, Refresh Token, Resource Owner Password Credentials and many many more You can use OAuth specifications for many projects ranging from identity provider to a web service where other 3 rd parties can use your API You can design a SP You can design a client Make sure SP (Resources Server if separate to SP) uses HTTPS connection

10 Facebook Connect/Graph API Allows users to log on to your site using their Facebook account Facebook allows 3 rd party applications to access user's data (i.e. profile data such as name, age, gender etc) Facebook allows you to make your website social-savvy Make posts on user's timeline Access their friends list Grab their photos (like Tinder does)

11 Facebook Connect eHarmony gives you the option of creating an account with them (traditional way) Login using an account registered with them Login using facebook connect  The site never needs to know user's password

12 Account registration in your database Traditionally: Using Facebook: FB guarantees every fb account will have a UNIQUE fb_id No need for a password You can save token in a session if you want

13 Initial Setting up https://developers.facebook.com/apps Create a new “App”

14 Initial Setting up

15 PHP – install and configure Install SDK using composer: require “facebook/php-sdk”

16 Step 1 – website link to open dialog You can put $loginUrl in your view: ”>Connect using Facebook 'scope' determines what permissions your app requires from the user. Facebook will ask the user to authorize your app to use those permissions. (i.e. 'scope'=> 'read_stream, user_photos') $loginUrl will contain client_id, scope, redirect_uri as query params

17 Objective 1.On Website: Work out the correct URL for the facebook login dialog box to appear  You must pass information to it such as client_id, scope, redirect_uri, state etc 2.Once user logs on, you need to grab user's fb_id  Check if fb_id already exists in your records  NO: New registration  YES: Prior registered customer 3.Get and Store token to make future api requests

18 Step 2 – get fb_id $facebook->getUser() will return fb_id. Check if that user already exists in your db.  YES: Great! You have their personal details already stored + Token  NO: Use api to get basic details of user and create new account

19 Step 2 – contd. $user_profile contains an array which contains information about the user. You can use this information to populate your database records of your user base

20 Step 3 – Storing the token You don't technically need to store the token because the SDK takes care of it in the behind the scenes. $facebook->getUser(), before returning the fb_id does many things behind the scenes  Gets access code, exchanges it for token, saves token in session and finally returns the fb_id BUT if you don't store the token yourself, you must always ask the user to log in, in order for SDK to do everything behind the scenes. If you have the token, you can also access Graph API without facebook SDK. You can store token yourself: $facebook->getAccessToken();

21 Step 4 – Using access token You don't need access token. SDK provides method that will access Graph API conveniently  $facebook->api($url, $method, $parameters) But you can use API manually(HTTP REST API). All the endpoints and documentation are online. You obviously must sign the HTTP request with the token in the body (access_token= ) or possibly header

22 References https://knpuniversity.com/screencast/oauth/intro http://25labs.com/tutorial-integrate-facebook-connect-to-your- website-using-php-sdk-v-3-x-x-which-uses-graph-api/ Facebook documentation and sample code

23 Next Month I will give an introduction to Amazon Web Services (AWS) Relatively cheap There is a steep initial learning curve but after you get the 'hang of it', it is easy and therefore worth it Makes your site ready for scaling so if your website/service explodes in popularity, you'll be instantly ready I will discuss products: S3, EC2, Route 53, RDS, ELB and Elastic Beanstalk I won't discuss CloudFront (since I've never used it) Those are the key products a PHP developer needs

Download ppt "OAuth 2.0 By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:"

Similar presentations

Performance Challenges for the Open Web Stanford CS193H 29 September 2008.

Performance Challenges for the Open Web Stanford CS193H 29 September 2008.
Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.

Eric J. Oszakiewski MCTS: SharePoint Application Development SharePoint Configuration.
AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013

AAI for Apps Using AAI with your Smartphone Daniel Latzer Zürich, April 2013
Authentication Simon Cross Partner Engineer facebook.com/sicross An Overview.

Authentication Simon Cross Partner Engineer facebook.com/sicross An Overview.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.

1Proprietary and Confidential AirVantage API – Getting started David SCIAMMA – June 13th 2014.
Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.

Using Evernote and Google Docs in your web or mobile application (and potentially Dropbox and Skydrive) By Peter Messenger Senior Developer – Triple Point.
Amazon Web Services (aws) B. Ramamurthy. Introduction  Amazon.com, the online market place for goods, has leveraged the services that worked for their.

Amazon Web Services (aws) B. Ramamurthy. Introduction  Amazon.com, the online market place for goods, has leveraged the services that worked for their.
Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.

Amazon CloudFront An introductory discussion. What is Amazon CloudFront? 5/31/20122© e-Zest Solutions Ltd. Amazon CloudFront is a web service for content.
The Alfresco API Steven Glover Gethin James Peter Monks.

The Alfresco API Steven Glover Gethin James Peter Monks.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.

OAuth 2.0 in Depth By Rohit Ghatol SynerzipSynerzip Passionate about TechNextTechNext.
CAEL 5012 Rich Internet Applications. What you need For this part of the course you will need access to a server with PHP and MYSQL which will be supplied.

CAEL 5012 Rich Internet Applications. What you need For this part of the course you will need access to a server with PHP and MYSQL which will be supplied.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
Amazon AWS – brief intro By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

Amazon AWS – brief intro By “PJ” (JP on meetup.com) iOS and PHP developer, and occasional lawyer Contact me via:

Similar presentations

Ads by Google