OAuth1.0 Specification Implementation

AlloVince edited this page May 4, 2015 · 2 revisions

OAuth1.0 specification defined 3 kinds of roles:

  • User: Eva\EvaOAuth\User\UserInterface
  • Consumer: Eva\EvaOAuth\OAuth1\Consumer
  • Service Provider: Eva\EvaOAuth\OAuth1\ServiceProviderInterface

EvaOAuth implemented OAuth1.0 follow official specification guide which community refers to as "3-legged OAuth", besides there are some sites provided unofficial authorization flow which referred to as "2-legged OAuth". EvaOAuth not support 2-legged OAuth yet.

3-legged OAuth work flow is as below, Thanks the ASCII flow chart from huoding.com.

 +----------+                                           +----------+
 |          |--(A)- Obtaining a Request Token --------->|          |
 |          |                                           |          |
 |          |<-(B)- Request Token ----------------------|          |
 |          |       (Unauthorized)                      |          |
 |          |                                           |          |
 |          |      +--------+                           |          |
 |          |>-(C)-|       -+-(C)- Directing ---------->|          |
 |          |      |       -+-(D)- User authenticates ->|          |
 |          |      |        |      +----------+         | Service  |
 | Consumer |      | User-  |      |          |         | Provider |
 |          |      | Agent -+-(D)->|   User   |         |          |
 |          |      |        |      |          |         |          |
 |          |      |        |      +----------+         |          |
 |          |<-(E)-|       -+-(E)- Request Token ------<|          |
 |          |      +--------+      (Authorized)         |          |
 |          |                                           |          |
 |          |--(F)- Obtaining a Access Token ---------->|          |
 |          |                                           |          |
 |          |<-(G)- Access Token -----------------------|          |
 +----------+                                           +----------+

Step (A) Consumer obtaining a requst token.

use Eva\EvaOAuth\OAuth1\Consumer;
use Eva\EvaOAuth\OAuth1\Providers;

$consumer = new Consumer([
    'consumer_key' => 'Your_Twitter_Consumer_Key',
    'consumer_secret' => 'Your_Twitter_Consumer_Secret',
    'callback' => 'http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=twitter'
]);
$requestToken = $consumer->getRequestToken(new Providers\Twitter());

Actual request is:

POST /oauth/request_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth 
   oauth_consumer_key="Your_Twitter_Consumer_Key",
   oauth_nonce="EJfeZQdOH78AoyBbkzvDC1i4WXhNxLIu", 
   oauth_signature="GbqGXuWX%2Fixd0Sy5n%2Fw0XVb8My4%3D", 
   oauth_signature_method="HMAC-SHA1",
   oauth_timestamp="1429608693",
   oauth_version="1.0"

Step (B) Service provider return request token in response

HTTP/1.1 200 OK

oauth_token=request_token&oauth_callback_confirmed=true

Step (C) Consumer redirect user to provider authorization with request token in the previous step

$url = $this->getAuthorizeUri(new Providers\Twitter(), $requestToken);
header("Location:$url");

Actual request is:

HTTP/1.1 302 Moved Temporarily
Location: https://api.twitter.com/oauth/authorize?
    oauth_token=request_token

Step (D/E) Provider redirect user back to consumer with authorized request token and token verification code.

HTTP/1.1 302 Moved Temporarily
Location: http://oauth.evaengine.com/EvaOAuth/examples/access.php?
    oauth_token=request_token&
    oauth_verifier=verifier_code

Step (F) Consumer requests an access token from provider by request token and verification code.

$accessToken = $consumer->getAccessToken(new Providers\Twitter(), $_GET, $requestToken);

Actual request is:

POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth
    oauth_consumer_key="Your_Twitter_Consumer_Key",
    oauth_nonce="azXsE8bMNfHL3dhowv2lkjBrnGFCpq0y", 
    oauth_signature="2BZupMcQXPKGubVNn5yO3zZ22Ic%3D", 
    oauth_signature_method="HMAC-SHA1", 
    oauth_timestamp="1429615865", 
    oauth_token="request_token", 
    oauth_version="1.0"

oauth_verifier=verifier_code

Step (G) Provider return access token if verification code valid.

HTTP/1.1 200 OK

oauth_token=access_token&user_id=14939075&screen_name=AlloVince

Now consumer able to access protected resources with access token.

$httpClient = new \Eva\EvaOAuth\AuthorizedHttpClient($accessToken);
$httpClient->get('https://api.twitter.com/1.1/account/verify_credentials.json');

Actual request is:

GET /1.1/account/verify_credentials.json HTTP/1.1
Host: api.twitter.com
Authorization: OAuth 
    oauth_consumer_key="Your_Twitter_Consumer_Key", 
    oauth_nonce="cd728qjmzvtudl9itqu5psxb3afbywoo", 
    oauth_signature="PeiH2Vb66xexNmIo4Z4%2FRpyl1Vc%3D",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="1429619924", 
    oauth_token="access_token",
    oauth_version="1.0"

Response:

HTTP/1.1 200 OK

{"id":...}