Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

OAuth Helper

leonho2001 edited this page · 15 revisions
Clone this wiki locally


NOTE: I have moved the code for this project to GitHub the url is: Please use this wiki page as a reference for how to implement the library but make sure you get the latest version from GitHub.

I wrote this helper to assist with OAuth authentication for the youtube api but it should work for any OAuth authentication. All it does is correctly sign your OAuth parameters that should be put in an http header and sent to whatever you are authenticating against.

One thing to note. It seems that google does not correctly build their HMAC-SHA1 hashes so if you are authenticating with them it is recommended that you use RSA-SHA1. Visit this link:

to learn how to create an RSA-SHA1 certificate that you can upload to google.

Here is the OAuth section of the youtube api:

And here is a helpful tool google provides to see what your OAuth header should look like:

To generate the authorization header portion, something like this:

Authorization: OAuth oauth_version="1.0", oauth_nonce="3bb1d3ad600bc8132081261ffe5b4f01", oauth_timestamp="1283674744", oauth_consumer_key="", oauth_callback="", oauth_signature_method="RSA-SHA1", oauth_signature="Tk6KiZltHoH/41xMmI2UyCXTA8BgzMFbFEAGCKBPDKqI8Rsjg/UYqh+Edi/KY2UoqCwxb3K+WYNGSaaUy/klzQ1/lSIXgXcVjI7QP7Bc6/xMmBauj/eWVjnEWJ2mbcfhIE1LrkJbqUjUsFnel2yGvwCykHS+A4mFM3y3xEtuJ8s="

You would make a token request call like this:

echo get_auth_header('', '', './path/to/private/cert', array('oauth_callback'=>urlencode('')));

It should be noted though that google requires an addtional "scope" parameter which does not go in with the authorization parameters but does get signed with them. The best way to understand how to put that in the header is to check out the oauth playground. So this example will not work in real life if authenticating with google.

To build a full (working) request header for the google youtube api and connect using cURL do this:

$baseurl = '';
$auth = build_auth_array($baseurl, '', './path/to/private/cert', array('scope'=>urlencode('')));
$str = '';
foreach($auth AS $key=>$value)
     if($key != 'scope')$str .= ",{$key}=\"{$value}\"";//Do not include scope in the Authorization string.
$str = substr($str, 1);//Remove leading ,

$ch = curl_init("{$baseurl}?scope={$auth['scope']}");
curl_setopt($ch, CURLOPT_SSLVERSION,3);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Authorization: OAuth {$str}"));
$response = curl_exec($ch);
return $response;

Play around with this helper and let me know what you think.

-UPDATE: Fixed issue where oauth_token_secret was not getting hashed with consumer_secret for HMAC signatures. Also changed some wording that could be confusing.

-UPDATE: Added OAUTH_ALGORITHM object to avoid having to type out the algorithms each time, thus decreasing a chance for (very difficult to detect) errors.

-UPDATE: Made links real links.

-UPDATE: Fixed HMAC signing I can confirm it works with atleast Twitter.

Something went wrong with that request. Please try again.