oauth demo, server-side version

oauth-server/config.php

@@ -0,0 +1,6 @@
+<?
+	$client_id	= "1-1e234b54ce23206cdc30e14bc7fea6a2";
+	$client_secret	= "3aac2f87c3cca316de6d6cd57a49fca3";
+
+	$redir_url	= "http://www.iamcal.com/misc/glitch/oauth-server/step2.php";
+?>

oauth-server/curl.php

@@ -0,0 +1,62 @@
+<?
+	##################################################################
+
+	#
+	# perform a 'simple' HTTP POST.
+	#
+
+	function curl_http_post($url, $post_args){
+
+		$curl_handler = curl_init();
+
+		curl_setopt($curl_handler, CURLOPT_URL, $url);
+		curl_setopt($curl_handler, CURLOPT_CONNECTTIMEOUT, 5);
+		curl_setopt($curl_handler, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($curl_handler, CURLOPT_TIMEOUT, 5);
+		curl_setopt($curl_handler, CURLOPT_FAILONERROR, FALSE);
+
+		#
+		# ignore invalid HTTPS certs. you probably want to comment out
+		# these lines...		
+		#
+
+		curl_setopt($curl_handler, CURLOPT_SSL_VERIFYPEER, FALSE);
+		curl_setopt($curl_handler, CURLOPT_SSL_VERIFYHOST, FALSE);
+
+
+		#
+		# it's a post
+		#
+
+		curl_setopt($curl_handler, CURLOPT_POST, 1);
+		curl_setopt($curl_handler, CURLOPT_POSTFIELDS, $post_args);
+
+
+		#
+		# send the request
+		#
+
+		$body = @curl_exec($curl_handler);
+		$info = @curl_getinfo($curl_handler);
+
+
+		#
+		# close the connection
+		#
+
+		curl_close($curl_handler);
+
+
+		#
+		# return
+		#
+
+		return array(
+			'status'	=> $info['http_code'],
+			'body'		=> $body,
+			'info'		=> $info,
+		);
+	}
+
+	##################################################################
+?>

oauth-server/foot.txt

@@ -0,0 +1,15 @@
+<hr />
+
+<p>
+	This demo uses a client ID which is only allowed to request the <code>identity</code> scope.
+	Your own client ID will be able to request the <code>read</code> and <code>write</code> scopes, which are far better.
+</p>
+
+<p>
+	If you hit an error, you can <a href="./">start over</a>.
+</p>
+
+</div>
+
+</body>
+</html>

oauth-server/head.txt

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<title>Glitch OAuth 2 Demo - Server Side Auth</title>
+</head>
+<body>
+
+<div style="width: 600px; margin: 0 auto;">
+
+<h1>Glitch OAuth 2 Demo - Server Side Auth</h1>

oauth-server/index.php

@@ -0,0 +1,63 @@
+<?
+	include('config.php');
+
+	include('head.txt');
+?>
+
+<h2>Step 1 - Redirect user to authorization endpoint</h2>
+<?
+
+	$args = array(
+		'response_type'	=> 'code',
+		'client_id'	=> $client_id,
+		'client_secret'	=> $client_secret,
+		'redirect_uri'	=> $redir_url,
+		'scope'		=> 'identity',
+		'state'		=> 'hello-world',
+	);
+
+	$base_url = "http://api.alpha.glitch.com/oauth2/authorize";
+
+	function build_url($base_url, $args, $more=array()){
+
+		foreach ($more as $k => $v){
+			$args[$k] = $v;
+		}
+
+		$pairs = array();
+		foreach ($args as $k => $v){
+			$pairs[] = urlencode($k).'='.urlencode($v);
+		}
+		return $base_url.'?'.implode('&', $pairs);
+	}
+
+?>
+
+<p>For this test, we will redirect the user to <code><?=HtmlSpecialChars($base_url)?></code>, with the following parameters:</p>
+
+<ul>
+<? foreach ($args as $k => $v){ ?>
+	<li><code><?=HtmlSpecialChars($k)?></code> = <code><?=HtmlSpecialChars($v)?></code></li>
+<? } ?>
+</ul>
+
+<p><a href="<?=build_url($base_url, $args)?>">Start authorization</a></p>
+
+<p>Failures that <b>should not</b> redirect back to here:</p>
+
+<ul>
+	<li><a href="<?=build_url($base_url, $args, array('client_id' => 'waffles'))?>">Start authorization with bad client_id</a></li>
+	<li><a href="<?=build_url($base_url, $args, array('client_secret' => 'waffles'))?>">Start authorization with bad client_secret</a></li>
+	<li><a href="<?=build_url($base_url, $args, array('redirect_uri' => 'waffles'))?>">Start authorization with bad redirect_uri</a></li>
+</ul>
+
+<p>Failures that <b>should</b> redirect back to here:</p>
+
+<ul>
+	<li><a href="<?=build_url($base_url, $args, array('scope' => 'waffles'))?>">Start authorization with bad scope</a></li>
+	<li><a href="<?=build_url($base_url, $args, array('response_type' => 'waffles'))?>">Start authorization with bad response_type</a></li>
+</ul>
+
+<?
+	include('foot.txt');
+?>

oauth-server/step2.php

@@ -0,0 +1,158 @@
+<?
+	include('config.php');
+	include('curl.php');
+
+	if ($_GET['error']){
+
+		include('head.txt');
+?>
+
+<h2>Step 2 Error: <?=HtmlSpecialChars($_GET['error'])?></h2>
+
+<p><b>Error description:</b> <?=HtmlSpecialChars($_GET['error_description'])?></p>
+<p><b>State:</b> <code><?=HtmlSpecialChars($_GET['state'])?></code></p>
+
+<?
+		include('foot.txt');
+		exit;
+	}
+
+
+	if (!$_GET['code']){
+
+		include('head.txt');
+?>
+
+<h2>Step 2 Error: No code</h2>
+
+<p>Odd - we didn't get an authorization code passed back to us. I wonder why?</p>
+
+<?
+		include('foot.txt');
+		exit;
+	}
+
+
+	$args = array(
+		'grant_type'	=> 'authorization_code',
+		'code'		=> $_GET['code'],
+		'client_id'	=> $client_id,
+		'client_secret'	=> $client_secret,
+		'redirect_uri'	=> $redir_url,
+	);
+
+	if ($_GET['exchange']){
+
+		$ret = curl_http_post("http://api.alpha.glitch.com/oauth2/token", $args);
+
+
+		#
+		# check for bad status
+		#
+
+		if ($ret['status'] != 200 && $ret['status'] != 400){
+
+			include('head.txt');
+?>
+	<h2>Step 3 Error - Unexpected HTTP status code</h2>
+
+	<p>The POST to the token endpoint unexpectedly returned status code <?=HtmlSpecialChars($ret['status'])?>. This might be a temporary failure.</p>
+	<p>The body of the request follows:</p>
+	<pre><?=HtmlSpecialChars($ret['body'])?></pre>
+<?
+			include('foot.txt');
+			exit;
+		}
+
+
+		#
+		# can we decode the JSON?
+		#
+
+		$obj = @json_decode($ret['body'], true);
+		if (!is_array($obj) || !count($obj)){
+
+			include('head.txt');
+?>
+	<h2>Step 3 Error - Unable to parse JSON response</h2>
+
+	<p>The JSON body returned by the API request could not be parsed.</p>
+	<p>The body of the request follows:</p>
+	<pre><?=HtmlSpecialChars($ret['body'])?></pre>
+<?
+			include('foot.txt');
+			exit;
+
+		}
+
+
+		#
+		# was there an error?
+		#
+
+		if (strlen($obj['error'])){
+
+			include('head.txt');
+?>
+	<h2>Step 3 Error: <?=HtmlSpecialChars($obj['error'])?></h2>
+
+	<p><b>Error description:</b> <?=HtmlSpecialChars($obj['error_description'])?></p>
+
+	<p>The body of the request follows:</p>
+	<pre><?=HtmlSpecialChars($ret['body'])?></pre>
+<?
+			include('foot.txt');
+			exit;
+
+		}
+
+
+		#
+		# looks like we're good to go...
+		#
+
+		include('head.txt');
+?>
+	<h2>Step 3 - Use access token</h2>
+
+	<p>The token endpoint has exchanged our authorization code for a usable access token:</p>
+
+	<ul>
+<? foreach ($obj as $k => $v){ ?>
+		<li><code><?=HtmlSpecialChars($k)?></code> = <code><?=HtmlSpecialChars($v)?></code></li>
+<? } ?>
+	</ul>
+
+	<p>We will call an API method using this token, in the iframe below:</p>
+
+	<iframe width="100%" height="200" src="http://api.alpha.glitch.com/simple/auth.check?oauth_token=<?=HtmlSpecialChars($obj['access_token'])?>&simple=1&pretty=1"></iframe>
+
+	<p>That concludes the demo. In your application, you would then store the <code>access_token</code> somewhere on the server and use it for subsequent requests.</p>
+<?
+		include('foot.txt');
+		exit;
+	}
+
+
+	include('head.txt');
+?>
+
+<h2>Step 2 - Exchange code for access token</h2>
+
+<p>The user has authorized our request and we have been returned the code <code><?=HtmlSpecialChars($_GET['code'])?></code>.</p>
+
+<p>We now need to exchange this code for an access token, by calling the token endpoint <code>http://api.alpha.glitch.com/oauth2/token</code> with the following parameters:</p>
+
+<ul>
+<? foreach ($args as $k => $v){ ?>
+	<li><code><?=HtmlSpecialChars($k)?></code> = <code><?=HtmlSpecialChars($v)?></code></li>
+<? } ?>
+</ul>
+
+<p>This step must be done using an HTTP POST from the server.</p>
+
+<p><a href="step2.php?code=<?=HtmlSpecialChars($_GET['code'])?>&exchange=1">Exchange code for access token</a></p>
+
+<?
+	include('foot.txt');
+?>