-
Notifications
You must be signed in to change notification settings - Fork 66
OAuth1.0 Specification Implementation
OAuth1.0 specification defined 3 kinds of roles:
-
User:
Eva\EvaOAuth\User\UserInterface -
Consumer:
Eva\EvaOAuth\OAuth1\Consumer -
Service Provider:
Eva\EvaOAuth\OAuth1\ServiceProviderInterface
EvaOAuth implemented OAuth1.0 follow official specification guide which community refers to as "3-legged OAuth", besides there are some sites provided unofficial authorization flow which referred to as "2-legged OAuth". EvaOAuth not support 2-legged OAuth yet.
3-legged OAuth work flow is as below, Thanks the ASCII flow chart from huoding.com.
+----------+ +----------+
| |--(A)- Obtaining a Request Token --------->| |
| | | |
| |<-(B)- Request Token ----------------------| |
| | (Unauthorized) | |
| | | |
| | +--------+ | |
| |>-(C)-| -+-(C)- Directing ---------->| |
| | | -+-(D)- User authenticates ->| |
| | | | +----------+ | Service |
| Consumer | | User- | | | | Provider |
| | | Agent -+-(D)->| User | | |
| | | | | | | |
| | | | +----------+ | |
| |<-(E)-| -+-(E)- Request Token ------<| |
| | +--------+ (Authorized) | |
| | | |
| |--(F)- Obtaining a Access Token ---------->| |
| | | |
| |<-(G)- Access Token -----------------------| |
+----------+ +----------+
Step (A) Consumer obtaining a requst token.
use Eva\EvaOAuth\OAuth1\Consumer;
use Eva\EvaOAuth\OAuth1\Providers;
$consumer = new Consumer([
'consumer_key' => 'Your_Twitter_Consumer_Key',
'consumer_secret' => 'Your_Twitter_Consumer_Secret',
'callback' => 'http://oauth.evaengine.com/EvaOAuth/examples/access.php?provider=twitter'
]);
$requestToken = $consumer->getRequestToken(new Providers\Twitter());Actual request is:
POST /oauth/request_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth
oauth_consumer_key="Your_Twitter_Consumer_Key",
oauth_nonce="EJfeZQdOH78AoyBbkzvDC1i4WXhNxLIu",
oauth_signature="GbqGXuWX%2Fixd0Sy5n%2Fw0XVb8My4%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1429608693",
oauth_version="1.0"
Step (B) Service provider return request token in response
HTTP/1.1 200 OK
oauth_token=request_token&oauth_callback_confirmed=true
Step (C) Consumer redirect user to provider authorization with request token in the previous step
$url = $this->getAuthorizeUri(new Providers\Twitter(), $requestToken);
header("Location:$url");Actual request is:
HTTP/1.1 302 Moved Temporarily
Location: https://api.twitter.com/oauth/authorize?
oauth_token=request_token
Step (D/E) Provider redirect user back to consumer with authorized request token and token verification code.
HTTP/1.1 302 Moved Temporarily
Location: http://oauth.evaengine.com/EvaOAuth/examples/access.php?
oauth_token=request_token&
oauth_verifier=verifier_code
Step (F) Consumer requests an access token from provider by request token and verification code.
$accessToken = $consumer->getAccessToken(new Providers\Twitter(), $_GET, $requestToken);Actual request is:
POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth
oauth_consumer_key="Your_Twitter_Consumer_Key",
oauth_nonce="azXsE8bMNfHL3dhowv2lkjBrnGFCpq0y",
oauth_signature="2BZupMcQXPKGubVNn5yO3zZ22Ic%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1429615865",
oauth_token="request_token",
oauth_version="1.0"
oauth_verifier=verifier_code
Step (G) Provider return access token if verification code valid.
HTTP/1.1 200 OK
oauth_token=access_token&user_id=14939075&screen_name=AlloVince
Now consumer able to access protected resources with access token.
$httpClient = new \Eva\EvaOAuth\AuthorizedHttpClient($accessToken);
$httpClient->get('https://api.twitter.com/1.1/account/verify_credentials.json');Actual request is:
GET /1.1/account/verify_credentials.json HTTP/1.1
Host: api.twitter.com
Authorization: OAuth
oauth_consumer_key="Your_Twitter_Consumer_Key",
oauth_nonce="cd728qjmzvtudl9itqu5psxb3afbywoo",
oauth_signature="PeiH2Vb66xexNmIo4Z4%2FRpyl1Vc%3D",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1429619924",
oauth_token="access_token",
oauth_version="1.0"
Response:
HTTP/1.1 200 OK
{"id":...}