Help with OAuth (in PHP)
Wednesday, June 15, 2011 12:16 AM
For the past week or so I’ve been learning OAuth to use as the login functionality and authorization for a personal app I’m making (shh, it’s a secret.). I’ve played with OAuth a little in the past while tinkering with another app to connect to Foamee via Twitter, but that was relatively easy as the library I used already did most of what I wanted. This time around it was much harder. Maybe it was difficult because I don’t come from any sort of deep programming background, or maybe because I approached it thinking it would be a cake-walk. In any case, I wanted to give a couple of thoughts about what I learned. They probably seem really silly and basic, but they were my mental hurdles and maybe they’ll be yours too). This won’t be a step-by-step how-to, but maybe it will help you wrap your head around somethings.
These are somewhat disjointed thoughts, but afterward I will give a basic walk through that hopefully will flesh out some details too. I’m trying to hit on points that stumped me some in hopes that it will help you move forward and learn quicker than me.
While I don’t want to reveal too much of what I am working on quite yet, it does use Google’s API (hence the need for OAuth). Google has extensive documentation, but it isn’t always up to date. With such a wide range of technologies and versions, just be prepared to do a little sleuthing and trial and error to find which version of an API you need to use. In addition to that, the discussion lists are great resources. Search them. Not only are others possibly dealing with similar issues, but Google employees and programmers are helping and posting answers there.
Code libraries are not silver bullets. I’m writing my app in PHP. A library can save you from writing a lot of code, but you still need to have a bit of a grasp behind the technology. I found that the libraries I looked at were either bloated, trying to do everything (which complicates the issue if you don’t completely understand the technology), or they were so basic that some core functionality, it would seem, wasn’t there. I ended up writing in some modifications to one of the libraries I used. Understand that a code library is not plug-and-play. You still need to learn its functions and how to use it. Hopefully it has good documentation, but that’s not always true. Read through the code and comments. Read discussion boards.
Because of what I’m doing, OAuth in the Google API wasn’t enough. I needed to also use OpenID to connect. So I switched from OAuth doing both authentication (logging in) and authorization (allowing me access to user data) to just the latter. So I had to figure out how to use OpenID for authentication and make it play nice with OAuth. Yes, dancing between multiple APIs and similar words was confusing. The PHP libraries for these are written in classes (object orientated programming -> OOP). I learned PHP before it did OOP well so that was a little added learning too. I knew the idea behind the practice, but I recommend if you don’t already have a handle on classes that you learn that before jumping in. Just get a basic understanding, nothing major. Learn about private, public, protected and how the general concept works.
The last thing I learned, and probably what should have been the simplest, but I struggled with, is how to implement the GET and POST requests from the Google API. I’ll claim that my brain was fried after a week of pouring through API docs, multiple libraries, official specs, and new programming methods. For example, this is what Google tells you to do to find a users recent public activity in Google Buzz:
I wasn’t sure what to do with that at first, especially when it came to POST methods. Is that some sort of command line thing? Or is it just a cryptic generic command? I’ve found that it’s never really explained with these things. When you go to get a code base from Google Code the first way they provide it is using SubVersion through a command line:
“svn checkout http://gdata-samples.googlecode.com/svn/trunk/ gdata-samples-read-only”
Yeah, I’m sorry, this is 2011, and I use a GUI operating system. Can’t you just give me a ZIP? Yes, they link to client programs that can access the SVN, but it’s an afterthought.
The whole thing is really not set up in a manner that makes for an easy entry point. Which I think is the whole problem. You are told what to do, but not how to do it. Nothing I learned this week was exceptionally difficult, but it was poorly explained which steepened the learning curve.
To get back to the API commands, figure out how to do a GET or POST in whatever language you are using. For me with GETs that meant I had to use OAuth to create a URL to access with file_get_contents() or cURL. I believe there are other options as well. The OAuth library builds the URL for you as you need to have your special parameters attached to it that give authorization to the data. It isn’t needed to create this URL, but it’s easier than doing it yourself (though, it is like doing it yourself, just with pre-fabricated code).
When it came to POST, I stuttered for a while. You have to send data, but not as normal query string parameters (those are GET variables). The data is part of the “body” of the request. Really, my best advice here is to read and use this. Be sure to read a few comments too. Your web server may not allow the PHP function fopen() and you may need to use cURL. cURL is very common so you should be able to find a lot of help on it.
Lastly, just keep trying and pushing. Take it in little pieces. Each step of the OAuth or OpenID connection at a time. I wish I could give easy step by step instructions, but there are resources out there for that. Google does a decent job explaining the OAuth flow. The harder part is keeping it all in your head and using it for your specific project. And since each project is unique, it’s not easy to give a list of what you should do to achieve your goals.
Okay, with those thoughts there, here is a small explanation of how OAuth happens. Read a few of these articles, it will make things clearer.
OAuth is a way for your application to access the user’s data within another application. Your application needs to send the user to the site with data you want to access to have them log in and approve your application. (The point of this is to keep your app from ever needing to see their login credentials) So, in your application, you give the user a way to start the process: a link or button for example. When this is clicked, your app needs a Request Token to give to the user when they go to authenticate. So the click loads a script on your app which builds a URL (given by the API). This is where the OAuth library is helpful – in building these URLs. Then the app performs a GET of that URL. In PHP I used file_get_contents() to do this. At this point, the user is technically still on your website loading data on your files. Your file has gone and retrieved data from another site, but the user has not left. The returned data includes the Request Token and Secret. Attach these items to another API supplied URL and then sendread this article.
By the end of this dance, your script has accessed the API twice through the GET method and sent the user over to the API site to log in and approve your app one time in between those GETs.
If you’ve made it all the way to the end of this, I’m very impressed. I feel like everything I just wrote makes this whole concept as clear as mud. I found OAuth to be the type of thing where if I could have asked someone small specific questions during the process I would have moved much quicker and grokked the concept in a day or two, not a week. If something in here doesn’t make sense, or you are stuck in your process, feel free to email me or hit me up on Twitter @philiprenich.