Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Rob Allen:
Custom OAuth2 authentication in Apiiglity
Jul 21, 2015 @ 09:05:49

In an article posted to his site Rob Allen shows you how to hook in the OAuth2 authentication for an Apigility-based application with a pre-existing database table structure that may not match the defaults Apigility is looking for.

I have a client that's writing an Apigility API that needs to talk to a database that's already in place. This also includes the users table that is to be used with Apigility's OAuth2 authentication. Getting Apigility's OAuth2 integration to talk to a specific table name is quite easy. [...] However, if you want to use different column names, that's a bit trickier as they are hardcoded in the OAuth2StoragePdo class. To get Apigility's OAuth2 components to look at the correct columns, you create your own OAuth2 Adapter. I chose to extend ZFOAuth2AdapterPdoAdapter which extends OAuth2StoragePdo and go from there.

He includes the code for this extension of the PdoAdapter (a "OAuth2Adapter" class) in the post showing the definitions of the get user, set user and check password methods the OAuth2 flow needs to match users to OAuth sessions. He also includes the code for the "OAuth2AdapterFactory" class that's used to pull the custom PDO adapter class into Apigility and, along with some configuration changes, make it available for use. Then it's just a simple matter of changing the authentication type in the Apigility UI.

tagged: apigility oauth2 authentication custom factory pdo adapter oauth tutorial

Link: http://akrabat.com/custom-oauth2-authentication-in-apiiglity/

Binary Studio Blog:
Definitive Guide On Creating Custom Providers For Laravel OAuth2 Authorization
May 26, 2015 @ 12:45:12

A new guide has been posted showing you how to create custom OAuth2 providers for your Laravel application. In this case they wanted to hook the application in via Socialite to the VK social network but needed a custom connector to make it happen.

First of all let’s say that social authorization is very popular and frankly speaking it’s really handy tool. Surfing internet we can see a lot of sites and services which offer login with Facebook, Twitter, Google and other social networks. [...] If you’re building your website in PHP using Laravel, probably you’ve noticed Socialite which provides OAuth / OAuth 2 authentication with Facebook, Twitter, Google, and GitHub. The most famous social network which provides OAuth2 authentication in Russian segment of the internet is vk. But there is a lack of such connector (provider) in Socialite library. Actually it’s not a hard problem, so let’s build new VkProvider on top of Socialite’s components.

He starts with a brief look at the typical OAuth2 authentication flow between the social network and your application. From there it gets more vk.com specific. He shows how to set up the custom application on their side, updating your configuration with the credentials and installing Socialite. He then implements a "VkProvider" defining the required methods based on the interface. He then registers it as a "SocialiteServiceProvider" and uses it in a "login" request route.

tagged: oauth2 guide custom provider laravel socialite tutorial vkcom russian

Link: http://binary-studio.com/2015/05/25/laravel-oauth2/

PHPClasses.org:
Is Your OAuth 2.0 Application Secure?
May 26, 2014 @ 11:29:39

The PHPClasses.org blog has a new post highlighting a vulnerability in the OAuth 2.0 specification that's been talked about quite a bit lately, the Covert Redirect Vulnerability. This issue allows potential attackers to trick users into redirecting to malicious sites and possibly gain access to personal information.

This vulnerability affects applications that implement protocols like OAuth 2.0 and OpenID. Lets see how this affects an OAuth 2.0 application. [...] The way it works is that your application redirects to a specific page of the Facebook site. There the user is asked if he wants to give your application permission to access Facebook API on his behalf. After the user agrees, his browser is redirected back to your site to a URL that your application specified called redirect_uri. From then on your site completes the process to get a special access token string that will be used by your site to access Facebook API on behalf of the user.

This token represents the user and can then be used to access the user's account. If that token fell into the wrong hands, they could access data they shouldn't. He includes a diagram of the flow and a link to a video explaining the problem in a bit more depth. He recommends three ways to help prevent this issue and what to look for in your implementation that could leave you vulnerable.

tagged: oauth2 security redirect uri malicious attack

Link: http://www.phpclasses.org/blog/package/7700/post/4-Is-Your-OAuth-20-Application-Secure.html

InfoTuts.com:
Create Login With Google Plus in Your Website With PHP
Apr 15, 2014 @ 10:20:31

On the InfoTuts.com site they've posted a tutorial showing you how to make a "Log in with Google" button for your application and make it work with a little PHP magic on the backend.

So you want to allow users to login into your website using their gmail credentials? You have seen various websites that allow their users to login in their websites using gmail, facebook, linked in, Microsoft, git hub credentials. It’s time to integrate it in your website. We will cover all the login system in our posts one by one and this one is dedicated to create Google Plus login for your website with PHP using OAuth2. Google offers many APIs like Google Maps, translate API, Analytics ApI etc. Today we will use its Google Plus API so lets proceed with our tutorial.

They break the process down into about five steps:

  • Login to Google API Console. Go to APIs and you will have to turn on Google Plus API.
  • Go to APIs and Auth and then under credentials tab. Click on create new client ID as shown below.
  • Now when you will have to enter your website path and the file path (redirect URI) to get your new client ID.
  • Now you have to set Consent screen.
  • In consent screen if you have entered Google Plus page path then you will have to approve connection.

The code for the actual connection is in the last step. It uses Google's PHP client libraries to configure and make the request, fetch the access token and grab the Google+ user's data.

tagged: googleplus login oauth2 client library tutorial

Link: http://www.infotuts.com/login-with-google-plus-in-your-website-php

PHP Town Hall Podcast:
Episode 9 - Is OAuth 2 the Devil?
Jul 15, 2013 @ 09:49:18

The PHP Town Hall podcast has release their latest episode - #9: "Is OAuth 2 the Devil?" with special guests Alex Bilbie and Zackary Blank.

Alex Bilbie and Zackary Blank come on the show to talk about OAuth 2, which has been getting a lot of flamey bad press over the last year or two after the original author quit the project. Why these guys? Well, Alex until recently was working at the University of Lincoln where they did a whole bunch of OAuth 2 work as auth for various API projects at the university. [...] Zachary works for a different company on the same floor as Phil, and a client who shall remain nameless has been complaining about OAuth 2, for reasons that we both felt to be… well… silly.

You can listen to this latest episode either through the in-page player, by downloading the mp3 or by subscribing to their feed.

tagged: podcast phptownhall oauth2 devil alexbilbie zackaryblank

Link: http://phptownhall.com//blog/2013/07/10/episode-9-is-oauth-2-the-devil/

Lorna Mitchell's Blog:
Using OAuth2 for Google APIs with PHP
Mar 29, 2012 @ 12:02:21

Lorna Mitchell has a new post to her blog today showing how to use the functionality provided by the pecl_http extension to make an OAuth2 connection to Google.

I've written about Google and OAuth before, but that was OAuth v1.0, and they are introducing OAuth2 for their newer APIs; in this example I was identifying myself in order to use the Google Plus API. [...] OAuth 2 doesn't need an extension or any particular library as it doesn't have the signing component that OAuth 1 had, and OAuth 2 also has fewer round trips. It does require SSL however, because the requests are in the clear.

She includes some code snippets with an example of a connection - making a request to the remote HTTPS resource, adding some parameters to the URL (including the response type, your client ID and a redirect url). The response then contains the "code" value you'll need to make the second request to fetch the access token you'll need on future requests. You can find out more about the interface she's accessing in these docs about the Google Plus API.

tagged: oauth2 tutorial googleplus token pecl http

Link:

Phil Sturgeon's Blog:
NinjAuth: The Social Integration Package PHP has been dying for
Sep 19, 2011 @ 08:59:31

New on his blog Phil Sturgeon has a post about the social integration package PHP has been dying for - NinjAuth. It has hooks for OAuth and OAuth2 connections and makes it simple to use them completely abstracted.

In the past I have never needed to implement oAuth into a PHP project. I have done it in Rails and boy it was easy thanks to OmniAuth. OmniAuth abstracts away so much of the grunt work that it takes about 5 minutes to add a new social network to your site, and 4 of those minutes are spent signing up for the API keys. What options do we have in the world of PHP? A bunch of screwy hacks or provider specific classes like TwitterOAuth. I don't want to hunt down 20 libraries with different methods, I want to get a key, bang it in and go to the pub. Well, now I can!

The fuel-oauth and fuel-oauth2 packages to drive its backend. He includes a code snippet showing how to configure the providers (complete with keys needed for auth) including Facebook, Flickr, GitHub, YouTube and - of course - Twitter. You can grab the latest version of this library from Phil's github account.

tagged: ninjauth social network oauth oauth2 integration codeigniter fuelphp

Link: