oauth2-php - Step by Step Setup and Testing
My partners and I are now developing OAuth2.0 for Drupal Single-Sign-On (SSO) and Services API integration. During development we discover the oauth2-php library from Google code (http://code.google.com/p/oauth2-php/). Here a simple step-by-step setup and testing procedure.
Download the latest source code
The official package is still a OAuth2.0 draft v9 implementation (http://oauth2-php.googlecode.com/files/oauth2-php.zip). Here we will use the latest development code snippet from its Mercurial repository.
First of all you should install the mercurial package for fetching source code. In case of Debian it is very simple:
apt-get install mercurial
Once complete package installation just execute command as below (http://code.google.com/p/oauth2-php/source/checkout):
hg clone https://oauth2-php.googlecode.com/hg/ oauth2-php
This will generate a directory under your current folder with name "oauth2-php". Move it to your Apache document root, e.g. ~/public_html. Don't forget that we are using PHP5.2+ PDO support so you should have it setup before testing.
Optionally, just download my package with additional patch (http://code.google.com/p/oauth2-php/issues/detail?id=9) applied: oauth2-php-1288518310.tar.gz
Setup database backend
Go to the folder "oauth2-php/server/examples/pdo" you will find a file "mysql_create_tables.sql". Just create a MySQL database as name "mydb" and create the table as below:
mysql -uroot -p mydb < mysql_create_tables.sql
I guess you can handle the phpMyAdmin and corresponding permission setup, which will not detail here. Don't forget to configure the file "oauth2-php/server/examples/pdo/lib/pd0_oauth.php" as your database setup.
Install Poster for Firefox
Poster (https://addons.mozilla.org/en-US/firefox/addon/2691/) is a very simple plugin for Firefox, which can let you make HTTP request to remote server with a handy interface. Just install it. We will need it to submit POST request for token refresh.
Click "CTRL + ALT + P" will trigger the Poster interface as below:
Let's play with the oauth2-php basic authorization workflow
Well you should now get ready to test the overall oauth2-php library implementation.
First of all we should setup a client account for the connection. Take an example: now if you hope to use Facebook connect, you should first request Facebook to issue an client id/secret pair for your application, so here you are doing something similar. Access your "/oauth2-php/server/examples/pdo/addclient.php" from Firefox as below, and fill in corresponding information. Some more tips:
- Client ID is filtered by
[0-9a-z-_]{3,12}(Assume you understand Regex). - Client Secret can be anything.
- Redirect URL will be reuse during later step, here I point to "/"
Also double check the result with phpMyAdmin:
Now access your "/oauth2-php/server/examples/pdo/authorize.php" in Firefox with following syntax (An error page will be display if no correct parameter is provided):
/oauth2-php/server/examples/pdo/authorize.php?client_id=0123456789ab&response_type=token&state=test_state
Screen will show as below:
Once click on "Yep" you will forward to your redirect URL setup as above, with additional parameter similar as below. This step is similar as when you click on Facebook connect button, a popup show and ask for your login, then request for your authorization to let this website (i.e. application) to sign you in with Facebook SSO, access your simple profile element, send you email, and so on page.
/?state=test_state#access_token=XBzbb1c%2FqhMDv2s0b7yKy0l8WzU4XtHT&expires_in=3600&scope=
Now you have the access token with "XBzbb1c%2FqhMDv2s0b7yKy0l8WzU4XtHT". Now access your "/oauth2-php/server/examples/pdo/protected_resource.php" with following parameter and it will show you the protected resource page:
/oauth2-php/server/examples/pdo/protected_resource.php?client_id=01234567890ab&oauth_token=XBzbb1c%2FqhMDv2s0b7yKy0l8WzU4XtHT
Good! Now you can go though with basic OAuth2.0 server side implementation and demonstration!
Testing token endpoint with authorization code
Up to now we have already test with addclient.php, authorize.php and protected_resource.php, so how about the token endpoint token.php? This will be a bit more complicated and you will need the help of Poster to submit your POST request.
Before start I will strongly recommend you to have a quick review of "Section 4. Obtaining an Access Token" from original OAuth2.0 draft v10 document (http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4).
In case of authorization code test case, first access authorize.php as below:
/oauth2-php/server/examples/pdo/authorize.php?client_id=0123456789ab&response_type=code&state=test_state
It will redirect you to your redirect URL with following parameter:
/?state=test_state&code=DR2BYUbpLAEahiwQZ7BrOVD8Ot09MWMl
Now you get the authoriztion code "DR2BYUbpLAEahiwQZ7BrOVD8Ot09MWMl". Open Poster and fill in information as below:
- URL: Your token endpoint, e.g. /oauth2-php/server/examples/pdo/token.php
- Content Type: application/x-www-form-urlencoded
- Parameter Body:
grant_type=authorization_code&client_id=0123456789ab&client_secret=hello world&code=DR2BYUbpLAEahiwQZ7BrOVD8Ot09MWMl&redirect_uri=/
Click on POST and it will give you a result page as below (if your code is expired, go to phpMyAdmin and hack the auth_codes.expires manually...):
Great, your get a new access token with your temporary issued authorization code :D
Testing token endpoint with password
Sorry that the bundled oauth2-php server implementation didn't handle this grant type yet. It just return FALSE in lib/oauth2.php line 200, and we should override it within our own implementation of child class, e.g. lib/pdo_oauth2.php
P.S. In case of Drupal single-sign-on with OAuth2.0 BUT not forward end-user to authorization server for login with popup, we can collect the end-user credential from web application's interface and request authorization server to bind user with this token endpoint.
Testing token endpoint with assertion
Similar as case of password endpoint, it is not yet implemented (lib/oauth2.php line 224). Let's come back later :S
Testing token endpoint with refresh token
Sorry please come back later (lib/oauth2.php line 224, 265, 273 and 278)...
Consultion
Most of the OAuth2.0 draft v10 logic are already well implemented within oauth2-php; for sure that you should fill in the missing abstract function by your own :S
With Poster you don't need to setup a custom script to test the server implementation, just a few click and kick and go :D
- hswong3i's blog
- Add new comment
- 22686 reads
Comments
so helpful!
Hi!
This is so helpful and I thank you for explaining this because there is almost no good documentation on Oauth2, besides the spec which I find hard to grasp. I still have some problems with basic terms on Oauth2 and I was wondering if you could enlighten me a bit:
- It's a server. Shouldn't the server be only taking care of handing out tokens, checking etc?
Am I correct to understand the PHP2 oAuth server scripts also features some sort of bare-bones client functionality?
- I do get the part of authorization in your tutorial. I managed to see the protected resource,
although I'm not sure what "permissions" I get at this point. In a real world example, what would a protected resource be?
It's just authorization, so could this be a welcome page?
- Where I lose things are at section "Testing token endpoint with authorization code".
What would a real world example for a token, and what is an "endpoint"?
Sorry for all these questions :-) It's just that I'm lacking a sense of context to really understand what is going on.
What I do know is that a "client" is the (server side) application that uses the server to get tokens. The end-user is the actual person querying the client.
Thanks!!
Love OAuth
Love it.. But addclient.php doesn't work.. U need configure it out
one litle sample
one litle sample
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js"></script>
<div>
<a href="authorize.php?client_id=12312l3j1lasd&response_type=code&state=test_state">Authorized request</a>
</div>
<?php if ( isset($_GET['code']) ): ?>
<button id="ok">ok ok </button>
<script>
$("#ok").click(function(){
$.ajax({
url: "token.php",
type: "post",
data: "grant_type=authorization_code&client_id=12312l3j1lasd&client_secret=NoOoO&code=<?= $_GET['code'] ?>&redirect_uri=http%3A%2F%2Flocalhost%2Foauth2-php%2Fserver%2Fexamples%2Fpdo%2F",
dataType: "json"
success: function(dat){
$.ajax({
url: "protected_resource.php?client_id=12312l3j1lasd&oauth_token=" + dat.access_token ,
cache: false,
success: function(fin){
$("#oks").html(fin);
}
});
},
});
});
</script>
<?php endif; ?>
<div id="oks"></div>
photos don't work
I wish the photos worked.
Loading photos
It is an inconvenience, but to get the photos to load just remove "cdn." from their URLs...
Photos Don't Work
Photos are not working!
why # instead of &?
Helpful but just one question: why the "#" instead of usual "&" in
/?state=test_state#access_token=XBzbb1c%2FqhMDv2s0b7yKy0l8WzU4XtHT&expires_in=3600&scope=
?
Thanks in advance
Help with authorise
Cant seem to get it working?
I can add a client fine but can't authorise?
auth_codes and token tables are empty? Are these meant to be?
http://mydomain.com/oauth/server/examples/pdo/authorize.php?client_id=01...
Is test_state a scope?
My Feedback
Thanks a lot for this great post. I only have some comments about problems, which I encountered
(1) in file server/examples/pdo/lib/pdo_oauth.php you should add the line in line 24 (just after the DB connect)
$this->db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
It is needed to really see DB errors
(2) in server/examples/pdo/mysql_create_tables.sql you should chage scope to NULL allowed - otherwise I got errors ("scope can not be NULL"), when trying to use poster
Thanks
Stefan
Awesome
Your post just helped me through the OAuth nightmare i've been struggling with for the past week.
Very helpful
Your post is very helpful to me and really thank you so much :)
Add new comment