News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHPClasses.org:
Is Your OAuth 2.0 Application Secure?
May 26, 2014 @ 11:29:39

The PHPClasses.org blog has a new post highlighting a vulnerability in the OAuth 2.0 specification that's been talked about quite a bit lately, the Covert Redirect Vulnerability. This issue allows potential attackers to trick users into redirecting to malicious sites and possibly gain access to personal information.

This vulnerability affects applications that implement protocols like OAuth 2.0 and OpenID. Lets see how this affects an OAuth 2.0 application. [...] The way it works is that your application redirects to a specific page of the Facebook site. There the user is asked if he wants to give your application permission to access Facebook API on his behalf. After the user agrees, his browser is redirected back to your site to a URL that your application specified called redirect_uri. From then on your site completes the process to get a special access token string that will be used by your site to access Facebook API on behalf of the user.

This token represents the user and can then be used to access the user's account. If that token fell into the wrong hands, they could access data they shouldn't. He includes a diagram of the flow and a link to a video explaining the problem in a bit more depth. He recommends three ways to help prevent this issue and what to look for in your implementation that could leave you vulnerable.

0 comments voice your opinion now!
oauth2 security redirect uri malicious attack

Link: http://www.phpclasses.org/blog/package/7700/post/4-Is-Your-OAuth-20-Application-Secure.html

InfoTuts.com:
Create Login With Google Plus in Your Website With PHP
April 15, 2014 @ 10:20:31

On the InfoTuts.com site they've posted a tutorial showing you how to make a "Log in with Google" button for your application and make it work with a little PHP magic on the backend.

So you want to allow users to login into your website using their gmail credentials? You have seen various websites that allow their users to login in their websites using gmail, facebook, linked in, Microsoft, git hub credentials. It's time to integrate it in your website. We will cover all the login system in our posts one by one and this one is dedicated to create Google Plus login for your website with PHP using OAuth2. Google offers many APIs like Google Maps, translate API, Analytics ApI etc. Today we will use its Google Plus API so lets proceed with our tutorial.

They break the process down into about five steps:

  • Login to Google API Console. Go to APIs and you will have to turn on Google Plus API.
  • Go to APIs and Auth and then under credentials tab. Click on create new client ID as shown below.
  • Now when you will have to enter your website path and the file path (redirect URI) to get your new client ID.
  • Now you have to set Consent screen.
  • In consent screen if you have entered Google Plus page path then you will have to approve connection.

The code for the actual connection is in the last step. It uses Google's PHP client libraries to configure and make the request, fetch the access token and grab the Google+ user's data.

0 comments voice your opinion now!
googleplus login oauth2 client library tutorial

Link: http://www.infotuts.com/login-with-google-plus-in-your-website-php

PHP Town Hall Podcast:
Episode 9 - Is OAuth 2 the Devil?
July 15, 2013 @ 09:49:18

The PHP Town Hall podcast has release their latest episode - #9: "Is OAuth 2 the Devil?" with special guests Alex Bilbie and Zackary Blank.

Alex Bilbie and Zackary Blank come on the show to talk about OAuth 2, which has been getting a lot of flamey bad press over the last year or two after the original author quit the project. Why these guys? Well, Alex until recently was working at the University of Lincoln where they did a whole bunch of OAuth 2 work as auth for various API projects at the university. [...] Zachary works for a different company on the same floor as Phil, and a client who shall remain nameless has been complaining about OAuth 2, for reasons that we both felt to be… well… silly.

You can listen to this latest episode either through the in-page player, by downloading the mp3 or by subscribing to their feed.

0 comments voice your opinion now!
podcast phptownhall oauth2 devil alexbilbie zackaryblank

Link: http://phptownhall.com//blog/2013/07/10/episode-9-is-oauth-2-the-devil/

Lorna Mitchell's Blog:
Using OAuth2 for Google APIs with PHP
March 29, 2012 @ 12:02:21

Lorna Mitchell has a new post to her blog today showing how to use the functionality provided by the pecl_http extension to make an OAuth2 connection to Google.

I've written about Google and OAuth before, but that was OAuth v1.0, and they are introducing OAuth2 for their newer APIs; in this example I was identifying myself in order to use the Google Plus API. [...] OAuth 2 doesn't need an extension or any particular library as it doesn't have the signing component that OAuth 1 had, and OAuth 2 also has fewer round trips. It does require SSL however, because the requests are in the clear.

She includes some code snippets with an example of a connection - making a request to the remote HTTPS resource, adding some parameters to the URL (including the response type, your client ID and a redirect url). The response then contains the "code" value you'll need to make the second request to fetch the access token you'll need on future requests. You can find out more about the interface she's accessing in these docs about the Google Plus API.

0 comments voice your opinion now!
oauth2 tutorial googleplus token pecl http


Phil Sturgeon's Blog:
NinjAuth The Social Integration Package PHP has been dying for
September 19, 2011 @ 08:59:31

New on his blog Phil Sturgeon has a post about the social integration package PHP has been dying for - NinjAuth. It has hooks for OAuth and OAuth2 connections and makes it simple to use them completely abstracted.

In the past I have never needed to implement oAuth into a PHP project. I have done it in Rails and boy it was easy thanks to OmniAuth. OmniAuth abstracts away so much of the grunt work that it takes about 5 minutes to add a new social network to your site, and 4 of those minutes are spent signing up for the API keys. What options do we have in the world of PHP? A bunch of screwy hacks or provider specific classes like TwitterOAuth. I don't want to hunt down 20 libraries with different methods, I want to get a key, bang it in and go to the pub. Well, now I can!

The fuel-oauth and fuel-oauth2 packages to drive its backend. He includes a code snippet showing how to configure the providers (complete with keys needed for auth) including Facebook, Flickr, GitHub, YouTube and - of course - Twitter. You can grab the latest version of this library from Phil's github account.

0 comments voice your opinion now!
ninjauth social network oauth oauth2 integration codeigniter fuelphp



Community Events





Don't see your event here?
Let us know!


framework laravel package zendserver interview language release api symfony voicesoftheelephpant deployment community introduction bugfix unittest series podcast library opinion install

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework