Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Laravel News:
Learn about Grant Types in Laravel Passport
Aug 24, 2016 @ 10:46:49

On the Laravel News site today they've posted a tutorial helping you learn more about the grant types in the OAuth2 functionality provided by Laravel Passport.

OAuth2 is a security framework that controls access to protected areas of an application, and it’s mainly used to control how different clients consume an API ensuring they have the proper permissions to access the requested resources.

Laravel Passport is a full OAuth2 server implementation; it was built to make it easy to apply authentication over an API for laravel-based web applications.

For those not familiar with some of the terms around OAuth and its handling, they start with a few brief definitions (those that are familiar can skip them). Following this the post gets into the creation of a two kinds of grant handling with Passport: third-party authorizations and first-party applications (your own apps authenticating against the OAuth server). The post ends with a brief mention of creating access tokens manually, but points out that thing functionality should probably only be used during testing.

tagged: laravel passport oauth2 grant types password thirdparty server

Link: https://laravel-news.com/2016/08/passport-grant-types/

Alex Bilbie:
A Guide To OAuth 2.0 Grants
Aug 02, 2016 @ 10:12:33

While the actual post is older, Alex Bilbie, lead developer on The PHP League's OAuth2 PHP Server package, has made some updates to his overview of OAuth 2 grants - what they mean and how they can be used in your OAuth-enabled application's flow.

The OAuth 2.0 specification is a flexibile authorization framework that describes a number of grants (“methods”) for a client application to acquire an access token (which represents a user’s permission for the client to access their data) which can be used to authenticate a request to an API endpoint.

The specification describes five grants for acquiring an access token: authorization code grant, implicit grant, resource owner credentials grant, client credentials grant and Refresh token grant. In this post I’m going to describe each of the above grants and their appropriate use cases.

He then walks through each of these grant types, providing a brief summary of what they're for and the data they must include as well as links to more information. The post wraps up with a flowchart that helps you decide which of the grant types to use in your system and a few other questions to answer to find the right fit.

tagged: oauth2 grants

Link: http://alexbilbie.com/guide-to-oauth-2-grants/

Securing client-side public API access with OAuth 2 and Symfony
Jul 18, 2016 @ 12:30:26

On the Codevate.com blog there's a tutorial posted by Chris Lush showing you how to secure your client-side public API with OAuth 2 (based on the Symfony platform).

Say you’ll be developing a web application for a customer to create and manage restaurant bookings, exposing restaurant information (name, opening times, menu contents etc.) and booking creation as RESTful API endpoints, which are consumed by secure admin backend. You’ll need to authorise access to the API, but there is no end-user involved since the web app is its own resource owner, so the previous flow doesn’t apply.

[...] However, you also need to develop a booking widget that will be embedded in a company or restaurant’s website for visitors to use. In this case, the client-side is no longer trusted enough to share the OAuth client secret that’s required to authenticate with your API. [...] We encountered a similar use-case for a client project recently, and this blog post details the steps taken to address it.

He then shows how to integrate the FOSOAuthServerBundle bundle into your current Symfony-based application and the updates you'll need to make to your security.yml file. He includes the code needed to create a "client" and associating it with a company already in the customer list. Next is the creation of access tokens and linking them to the restaurants in their system (a unique identifier to use externally for the restaurant rather than an ID). He shows an example of handling the token requests and the code/config changes needed to set it up. Finally he talks about scoping API requests down to certain functionality and an example cURL call to the API to show the results of it all combined.

tagged: clientside api access security oauth2 symfony tutorial bundle

Link: https://www.codevate.com/blog/12-securing-client-side-public-api-access-with-oauth-2-and-symfony

Alex Bilbie:
OAuth 2.0 Device Flow Grant
Apr 20, 2016 @ 11:58:50

In a new post to his site Alex Bilbie looks at a good approach to simplifying the OAuth 2 authorization flow for a device and some of the simple PHP that can power it.

When signing into apps and services on devices such as a Playstation or an Apple TV it can be immensely frustrating experience. Generally you will ordeal something similar to one of the following scenarios: The utterly terrible experience whereby you don’t have anything other than an onscreen keyboard [or] A slightly less terrible experience whereby you can pair a bluetooth keyboard to enter your username and that crazy long password.

[...] There are some apps however - such as Youtube for Apple TV - that have a much better end user experience.

He talks more about this better experience involving a simple code presented to the user, a special URL to link the device and the typical OAuth-ish authorization page to link the request to your account. He then explains how it would work with a PHP backend: making the request to the auth server, returning a message with the codes and URL to pass along and the "device code" it responds with. He also includes a few examples of error responses for polling too quickly, pending authorization and a denied request. This is all based on the (currently in draft) OAuth 2.0 Device Flow Grant currently in the works.

tagged: device flow grant oauth2 example draft standard authorization

Link: http://alexbilbie.com/2016/04/oauth-2-device-flow-grant

Lorna Mitchell:
OAuth2 with PHP's built in Streams Functions
Jan 07, 2016 @ 10:56:54

In a quick post to her site Lorna Mitchell reminds us that you can modify the options on the internal PHP streams (like for HTTP requests), more specifically to add a "Bearer" token value for OAuth2 integration.

For OAuth2, all I had to be able to do was to send an Authorization header with my web request from PHP. My second-favourite way of making API calls from PHP is to use PHP's stream handling, so I did that. It's not code you see very often but it's super-simple and it works on every PHP platform I've tried so far

She gives a few lines of code to show how to modify the options to add in the token value, basically using an array of options and a call to stream_context_create to create the context. This can then be used in future calls (like the file_get_contents she shows) to automagically send this information along with the request.

tagged: oauth2 http stream request builtin options bearer tutorial

Link: http://www.lornajane.net/posts/2016/oauth2-phps-built-streams-functions

Rob Allen:
Custom OAuth2 authentication in Apiiglity
Jul 21, 2015 @ 09:05:49

In an article posted to his site Rob Allen shows you how to hook in the OAuth2 authentication for an Apigility-based application with a pre-existing database table structure that may not match the defaults Apigility is looking for.

I have a client that's writing an Apigility API that needs to talk to a database that's already in place. This also includes the users table that is to be used with Apigility's OAuth2 authentication. Getting Apigility's OAuth2 integration to talk to a specific table name is quite easy. [...] However, if you want to use different column names, that's a bit trickier as they are hardcoded in the OAuth2StoragePdo class. To get Apigility's OAuth2 components to look at the correct columns, you create your own OAuth2 Adapter. I chose to extend ZFOAuth2AdapterPdoAdapter which extends OAuth2StoragePdo and go from there.

He includes the code for this extension of the PdoAdapter (a "OAuth2Adapter" class) in the post showing the definitions of the get user, set user and check password methods the OAuth2 flow needs to match users to OAuth sessions. He also includes the code for the "OAuth2AdapterFactory" class that's used to pull the custom PDO adapter class into Apigility and, along with some configuration changes, make it available for use. Then it's just a simple matter of changing the authentication type in the Apigility UI.

tagged: apigility oauth2 authentication custom factory pdo adapter oauth tutorial

Link: http://akrabat.com/custom-oauth2-authentication-in-apiiglity/

Binary Studio Blog:
Definitive Guide On Creating Custom Providers For Laravel OAuth2 Authorization
May 26, 2015 @ 12:45:12

A new guide has been posted showing you how to create custom OAuth2 providers for your Laravel application. In this case they wanted to hook the application in via Socialite to the VK social network but needed a custom connector to make it happen.

First of all let’s say that social authorization is very popular and frankly speaking it’s really handy tool. Surfing internet we can see a lot of sites and services which offer login with Facebook, Twitter, Google and other social networks. [...] If you’re building your website in PHP using Laravel, probably you’ve noticed Socialite which provides OAuth / OAuth 2 authentication with Facebook, Twitter, Google, and GitHub. The most famous social network which provides OAuth2 authentication in Russian segment of the internet is vk. But there is a lack of such connector (provider) in Socialite library. Actually it’s not a hard problem, so let’s build new VkProvider on top of Socialite’s components.

He starts with a brief look at the typical OAuth2 authentication flow between the social network and your application. From there it gets more vk.com specific. He shows how to set up the custom application on their side, updating your configuration with the credentials and installing Socialite. He then implements a "VkProvider" defining the required methods based on the interface. He then registers it as a "SocialiteServiceProvider" and uses it in a "login" request route.

tagged: oauth2 guide custom provider laravel socialite tutorial vkcom russian

Link: http://binary-studio.com/2015/05/25/laravel-oauth2/

Is Your OAuth 2.0 Application Secure?
May 26, 2014 @ 11:29:39

The PHPClasses.org blog has a new post highlighting a vulnerability in the OAuth 2.0 specification that's been talked about quite a bit lately, the Covert Redirect Vulnerability. This issue allows potential attackers to trick users into redirecting to malicious sites and possibly gain access to personal information.

This vulnerability affects applications that implement protocols like OAuth 2.0 and OpenID. Lets see how this affects an OAuth 2.0 application. [...] The way it works is that your application redirects to a specific page of the Facebook site. There the user is asked if he wants to give your application permission to access Facebook API on his behalf. After the user agrees, his browser is redirected back to your site to a URL that your application specified called redirect_uri. From then on your site completes the process to get a special access token string that will be used by your site to access Facebook API on behalf of the user.

This token represents the user and can then be used to access the user's account. If that token fell into the wrong hands, they could access data they shouldn't. He includes a diagram of the flow and a link to a video explaining the problem in a bit more depth. He recommends three ways to help prevent this issue and what to look for in your implementation that could leave you vulnerable.

tagged: oauth2 security redirect uri malicious attack

Link: http://www.phpclasses.org/blog/package/7700/post/4-Is-Your-OAuth-20-Application-Secure.html

Create Login With Google Plus in Your Website With PHP
Apr 15, 2014 @ 10:20:31

On the InfoTuts.com site they've posted a tutorial showing you how to make a "Log in with Google" button for your application and make it work with a little PHP magic on the backend.

So you want to allow users to login into your website using their gmail credentials? You have seen various websites that allow their users to login in their websites using gmail, facebook, linked in, Microsoft, git hub credentials. It’s time to integrate it in your website. We will cover all the login system in our posts one by one and this one is dedicated to create Google Plus login for your website with PHP using OAuth2. Google offers many APIs like Google Maps, translate API, Analytics ApI etc. Today we will use its Google Plus API so lets proceed with our tutorial.

They break the process down into about five steps:

  • Login to Google API Console. Go to APIs and you will have to turn on Google Plus API.
  • Go to APIs and Auth and then under credentials tab. Click on create new client ID as shown below.
  • Now when you will have to enter your website path and the file path (redirect URI) to get your new client ID.
  • Now you have to set Consent screen.
  • In consent screen if you have entered Google Plus page path then you will have to approve connection.

The code for the actual connection is in the last step. It uses Google's PHP client libraries to configure and make the request, fetch the access token and grab the Google+ user's data.

tagged: googleplus login oauth2 client library tutorial

Link: http://www.infotuts.com/login-with-google-plus-in-your-website-php

PHP Town Hall Podcast:
Episode 9 - Is OAuth 2 the Devil?
Jul 15, 2013 @ 09:49:18

The PHP Town Hall podcast has release their latest episode - #9: "Is OAuth 2 the Devil?" with special guests Alex Bilbie and Zackary Blank.

Alex Bilbie and Zackary Blank come on the show to talk about OAuth 2, which has been getting a lot of flamey bad press over the last year or two after the original author quit the project. Why these guys? Well, Alex until recently was working at the University of Lincoln where they did a whole bunch of OAuth 2 work as auth for various API projects at the university. [...] Zachary works for a different company on the same floor as Phil, and a client who shall remain nameless has been complaining about OAuth 2, for reasons that we both felt to be… well… silly.

You can listen to this latest episode either through the in-page player, by downloading the mp3 or by subscribing to their feed.

tagged: podcast phptownhall oauth2 devil alexbilbie zackaryblank

Link: http://phptownhall.com//blog/2013/07/10/episode-9-is-oauth-2-the-devil/