OAuth1.0 Specification Implementation

AlloVince edited this page May 4, 2015 · 2 revisions

OAuth1.0 specification defined 3 kinds of roles:

  • User: Eva\EvaOAuth\User\UserInterface
  • Consumer: Eva\EvaOAuth\OAuth1\Consumer
  • Service Provider: Eva\EvaOAuth\OAuth1\ServiceProviderInterface

EvaOAuth implemented OAuth1.0 follow official specification guide which community refers to as "3-legged OAuth", besides there are some sites provided unofficial authorization flow which referred to as "2-legged OAuth". EvaOAuth not support 2-legged OAuth yet.

3-legged OAuth work flow is as below, Thanks the ASCII flow chart from huoding.com.

 +----------+                                           +----------+
 |          |--(A)- Obtaining a Request Token --------->|          |
 |          |                                           |          |
 |          |<-(B)- Request Token ----------------------|          |
 |          |       (Unauthorized)                      |          |
 |          |                                           |          |
 |          |      +--------+                           |          |
 |          |>-(C)-|       -+-(C)- Directing ---------->|          |
 |          |      |       -+-(D)- User authenticates ->|          |
 |          |      |        |      +----------+         | Service  |
 | Consumer |      | User-  |      |          |         | Provider |
 |          |      | Agent -+-(D)->|   User   |         |          |
 |          |      |        |      |          |         |          |
 |          |      |        |      +----------+         |          |
 |          |<-(E)-|       -+-(E)- Request Token ------<|          |
 |          |      +--------+      (Authorized)         |          |
 |          |                                           |          |
 |          |--(F)- Obtaining a Access Token ---------->|          |
 |          |                                           |          |
 |          |<-(G)- Access Token -----------------------|          |
 +----------+                                           +----------+

Step (A) Consumer obtaining a requst token.

use Eva\EvaOAuth\OAuth1\Consumer;
use Eva\EvaOAuth\OAuth1\Providers;

$consumer = new Consumer([
    'consumer_key' => 'Your_Twitter_Consumer_Key',
    'consumer_secret' => 'Your_Twitter_Consumer_Secret',
    'callback' => 'http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=twitter'
]);
$requestToken = $consumer->getRequestToken(new Providers\Twitter());

Actual request is:

POST /oauth/request_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth 
   oauth_consumer_key="Your_Twitter_Consumer_Key",
   oauth_nonce="EJfeZQdOH78AoyBbkzvDC1i4WXhNxLIu", 
   oauth_signature="GbqGXuWX%2Fixd0Sy5n%2Fw0XVb8My4%3D", 
   oauth_signature_method="HMAC-SHA1",
   oauth_timestamp="1429608693",
   oauth_version="1.0"

Step (B) Service provider return request token in response

HTTP/1.1 200 OK

oauth_token=request_token&oauth_callback_confirmed=true

Step (C) Consumer redirect user to provider authorization with request token in the previous step

$url = $this->getAuthorizeUri(new Providers\Twitter(), $requestToken);
header("Location:$url");

Actual request is:

HTTP/1.1 302 Moved Temporarily
Location: https://api.twitter.com/oauth/authorize?
    oauth_token=request_token

Step (D/E) Provider redirect user back to consumer with authorized request token and token verification code.

HTTP/1.1 302 Moved Temporarily
Location: http://oauth.evaengine.com/EvaOAuth/examples/access.php?
    oauth_token=request_token&
    oauth_verifier=verifier_code

Step (F) Consumer requests an access token from provider by request token and verification code.

$accessToken = $consumer->getAccessToken(new Providers\Twitter(), $_GET, $requestToken);

Actual request is:

POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth
    oauth_consumer_key="Your_Twitter_Consumer_Key",
    oauth_nonce="azXsE8bMNfHL3dhowv2lkjBrnGFCpq0y", 
    oauth_signature="2BZupMcQXPKGubVNn5yO3zZ22Ic%3D", 
    oauth_signature_method="HMAC-SHA1", 
    oauth_timestamp="1429615865", 
    oauth_token="request_token", 
    oauth_version="1.0"

oauth_verifier=verifier_code

Step (G) Provider return access token if verification code valid.

HTTP/1.1 200 OK

oauth_token=access_token&user_id=14939075&screen_name=AlloVince

Now consumer able to access protected resources with access token.

$httpClient = new \Eva\EvaOAuth\AuthorizedHttpClient($accessToken);
$httpClient->get('https://api.twitter.com/1.1/account/verify_credentials.json');

Actual request is:

GET /1.1/account/verify_credentials.json HTTP/1.1
Host: api.twitter.com
Authorization: OAuth 
    oauth_consumer_key="Your_Twitter_Consumer_Key", 
    oauth_nonce="cd728qjmzvtudl9itqu5psxb3afbywoo", 
    oauth_signature="PeiH2Vb66xexNmIo4Z4%2FRpyl1Vc%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1429619924", 
    oauth_token="access_token",
    oauth_version="1.0"

Response:

HTTP/1.1 200 OK

{"id":...}
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.