Buy

Serious OAuth in 8 Steps

Serious OAuth in 8 Steps

Hey guys and gals! In this tutorial, we’re going to get serious with OAuth by building an app with some complex and real-life features, like Facebook authentication, dealing with refresh tokens and more. We’ll need about 8 steps to turn a barebones starting app into a complex, OAuth machine:

  1. Client Credentials: making API requests for our own account
  2. Authorization Code: Getting a token for another user’s account
  3. Logging in via OAuth
  4. OAuth with Facebook
  5. OAuth in JavaScript with Google+
  6. Handling Expired Tokens
  7. Using Refresh Tokens
  8. Tightening up Security

As we go through these, we’ll give you any theory and background you need.

Tiny Crash Course in OAuth

For now, you just need to understand that OAuth is an Authorization Framework. In human-speak, it means that it defines the different ways two parties, like your cool web site and a user on your website, can exchange tokens securely. Each of these ways is known as a grant type and though they look different, each grant type will always deliver an access token.

OAuth Token

So what’s this token? It’s just a unique string tied to my account that gives you access to make API requests on my behalf. It’s like a username and password all rolled into one. For example, if ABCD1234 is a valid token to my Facebook account, then an HTTP request that looks like this would post to my timeline:

POST /weaverryan/feed HTTP/1.1
Host: graph.facebook.com
Content-Type: application/x-www-form-urlencoded
Content-Length: length

access_token=ABCD1234&message=Hello

Exactly how you pass the access token in an API request is different between Facebook, Twitter, or any other API. But it’s always there

I could just give you my username and password, but a token is much better. If I give 10 apps access to my account, each app will have its own token, which means I can revoke access to some apps, but not others.

Tokens can have a limited scope, which is huge. Unlike a password which gives you access to do anything on my account, I can give you a token that lets you view my Facebook friends, but not post to my wall.

So OAuth is really just a big set of rules that describe how two parties can exchange tokens. If I create a website where I want to access my users’ Facebook friends, exactly how does a user give me an access token?

Let’s answer that question, along with the thrilling topic of token expiration, the hopeful story of refresh tokens, the inspirational tale of single-sign on and all kinds of other things.

Let’s go!

Leave a comment!

  • 2016-09-18 shilpagov82

    This could be useful in helping you monitor REST APIs for performance and accuracy. Uptime Cloud Monitor supports monitoring REST APIs on a completely SAAS based model.
    The setup is quick and easy. You can configure the REST API URL, the REST method (GET/ POST/ PUT/ DELETE), request parameters (if any), credentials required (if any), the monitoring frequency, the geographic location of the monitoring stations (from a choice of 15 stations across the globe). You can match the REST API response body against a specific string to ensure that the response is as expected.

    You can also configure alerts (notified via SMS, Email, PagerDuty etc) to be triggered based on API downtime, performance degradation or API response verification failure.

    More details on REST API Monitoring: http://community.idera.com/blo......

    You can also sign up for a 14 day free trial of Uptime Cloud Monitor

    Disclaimer: I work at Uptime Cloud Monitor

  • 2016-05-11 weaverryan

    Hi Sudhir!

    1. Your code for this part looks perfect, so I'm a bit confused to why you are being redirected incorrectly. When you view the HTML source of your page, do you see this?


    window.location.replace('/app_dev.php/login/flight');

    Or is the app_dev.php missing from this string? Also, try using window.location = '' instead of replace - just in case that's causing problems.

    2. I'm not sure about this. What do you mean that it doesn't work when the method is POST? Do you mean that the AJAX request causes a 404? Or that it works but you cannot access your POST data? If you're not using the build-in web server, what web server are you using? Also, even if you're not using the built-in web server, you should point your web server at the "web" directory as the document root so that you have nice URLs like /app_dev.php/login (without the /web in front) :).

    Cheers!

  • 2016-05-11 Sudhir Gupta

    hi weaverryan

    hope u r doing good.
    in my current project i am facing a 2 issue.
    here is my problem statement.

    1. i am sending a ajax request to validate the login. when valid credentials matched i am trying to redirecting on dashboard.
    my current url is www.projectUrl//web/app_dev.php/login/
    after that i want to redirect at www.projectUrl//web/app_dev.php/flight/
    in js file here is my code

           window.setTimeout(function(){
    window.location.replace('{{ path ("/flight")}}');
    },1000)

    using this code the redirection is going on /login/flight. (i want app_dev.php/flight/). may u help me where i am doing worng.




    2nd issue.
    when i am using /web/app_dev.php/login/ (without symfony server:run) my post method didn't work. ajax is working fine but i am not getting Post variable. surprising thing is if i am using GET method then its work never when i use POST.

    Here is my ajax code.

    $.ajax({
    url : httpPath, // path via parameter
    data: serializeData,
    method: 'POST',
    cache: false,
    contentType: 'application/json',
    timeout: 5000,
    ......

    may u help me where i am doing wrong..

    Thanks in advance.

  • 2016-05-04 weaverryan

    Ah, you're right - there's a problem in the dependency-injection tutorial - I just fixed this: https://github.com/knpuniversi.... Thanks for pointing that out! I wanted to give you a proper GitHub shout, but I was only 90% sure that jhmnieuwenhuis is you :).

    I plan to script out those installation instructions so that we can't possibly mess them up - you know, keeping docs in sync with code... not always easy.

    Thanks!

  • 2016-05-04 Hans Nieuwenhuis

    Ok, great.
    But there is still no vendor directory in the start code.
    And in the README.md it says :

    "You can also run Composer, though the `vendor/` directory should already have everything it needs:"

    And if there is no vendor directory and composer is not run, the start code will not run.

    Regards,

    Hans

  • 2016-05-03 weaverryan

    Thanks Hans! We just fixed that - we left a library in there that's not used anymore :)

  • 2016-05-01 Hans Nieuwenhuis

    Update course code ?

    In the course code composer.json there are still the lines for knpuniversity/gladiator.
    And there is no vendor directory.

    When I run composer install I get an error on gladiator, saying it can not be downloaded.
    And I think it is nog longer needed or ??

    I removed the gladiator lines from composer.json and removed composer.lock and then I ran
    composer install again, and now the application works...

    Later on I also ran composer require pimple/pimple, and that also works fine/

  • 2015-11-05 Ammar

    Hey thanks. It works perfectly now!

  • 2015-11-04 weaverryan

    Hey Ammar!

    It's an easy fix: just create a `logs` directory at the root of the project and make it writeable - the code is trying to write to a mail.log file in this directory. I just added a note about this to the project: https://github.com/knpuniversi...

    Thanks!

  • 2015-11-04 Ammar

    i get this error on running app.php

    PHP Warning: fopen(/var/www/public/dependency_injection/src/DiDemo/Mailer/../../../logs/mail.log): failed to open stream: No such file or directory in /var/www/public/dependency_injection/src/DiDemo/Mailer/SmtpMailer.php on line 56

    PHP Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/public/dependency_injection/src/DiDemo/Mailer/SmtpMailer.php on line 57

    PHP Warning: fopen(/var/www/public/dependency_injection/src/DiDemo/Mailer/../../../logs/mail.log): failed to open stream: No such file or directory in /var/www/public/dependency_injection/src/DiDemo/Mailer/SmtpMailer.php on line 56

    PHP Warning: fwrite() expects parameter 1 to be resource, boolean given in /var/www/public/dependency_injection/src/DiDemo/Mailer/SmtpMailer.php on line 57

    i am assuming the log files are not being generated due to sqlite db connectivity issues. I am using scotch box vm and it comes it sqlite. How do i setup a username and pass in setupdb.php?

  • 2015-10-26 David Thorne

    Thanks Ryan, helps a lot. I'll hold off till 2.8/3.0 are out and videos are completed. Looking forward to them, keep up the good work!

  • 2015-10-26 weaverryan

    Hey David!

    Actually, since Symfony 2.8 and 3 come out in about a month, we'll start to record complete updates to the latest versions really soon. Until then (as you eluded to), I would wait to learn Symfony. If we show you an out-dated way of doing something, you'll get a deprecation warning in the web debug toolbar - so you'll know it's outdated. More importantly, the new way is usually pretty close (e.g. a method name change) from the way we show things.

    I hope that helps - updates coming soon!

  • 2015-10-26 David Thorne

    Whilst Symfony 2.4 is still an officially supported LTS release, it is no longer the standard LTS if you follow the Symfony best practices. Whilst putting together a whole new series on 2.7 is a lot of work, any chance on either a mini series on the core differences or indeed a single video if that seems more applicable?

  • 2015-07-12 weaverryan

    Hey Léo!

    You're really close :). You need to move into the "start" directory and run a "composer install" (or a php composer.phar install depending on how you have Composer installed). We do talk about this - but it's a few more chapters from now :) http://knpuniversity.com/scree...

    Let me know if that helps!

  • 2015-07-12 Léo Li

    Excuse me, when I ran this "php app.php", I got a error:
    ```

    PHP Warning: require(/Users/AJ/Sites/knpuniversity-dependency-injection/start/vendor/autoload.php): failed to open stream: No such file or directory in /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php on line 3

    PHP Stack trace:

    PHP 1. {main}() /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php:0

    Warning: require(/Users/AJ/Sites/knpuniversity-dependency-injection/start/vendor/autoload.php): failed to open stream: No such file or directory in /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php on line 3

    Call Stack:

    0.0008 228408 1. {main}() /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php:0

    PHP Fatal error: require(): Failed opening required '/Users/AJ/Sites/knpuniversity-dependency-injection/start/vendor/autoload.php' (include_path='.:/usr/local/Cellar/php56/5.6.3/lib/php') in /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php on line 3

    PHP Stack trace:

    PHP 1. {main}() /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php:0

    Fatal error: require(): Failed opening required '/Users/AJ/Sites/knpuniversity-dependency-injection/start/vendor/autoload.php' (include_path='.:/usr/local/Cellar/php56/5.6.3/lib/php') in /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php on line 3

    Call Stack:

    0.0008 228408 1. {main}() /Users/AJ/Sites/knpuniversity-dependency-injection/start/app.php:0
    ```

    And I can't find __DIR__.'/vendor/autoload.php' this file in the package, neither the "logs\mail.log".
    Am I missing some step?