Proposal for "OAuth"

» Metadata » Status
  • Category: Web Services
  • Proposer: Pádraic Brady 
  • License: BSD Style
  • Status: Proposed
» Description
An implementation of the OAuth Core 1.0 Specification in PHP5.

The OAuth Core protocol was published in its final 1.0 Specification on 4 December 2007. It is a protocol allowing websites, web applications or desktop applications to access Service Resources via an API without requiring Users to disclose their credentials. It is an open and decentralised protocol.

A simple use case would be Twitter. At present, Twitter applications such as Spaz.air or Twitterer usually require a User's login username and password (their credentials) in order to access the timeline of other Users they are following or send updates (tweets). This raises a risk that such applications may use those credentials to change the User's password, send "tweets" without their permission, or other unauthorised actions allowable through authenticating with a username/password.

Implementing OAuth, such an application would be able to perform limited authorised actions without requiring Users to disclose their credentials. In effect, this is similar to establishing an API Key and indeed OAuth builds upon existing standards. But the net effect is one of limited access, with OAuth external applications are given defined limited authorisation which can be limited according to function, resource or timeframe.

OAuth is therefore perfect also in situations where a Service Provider is not aware of a User's credentials, as is the case when a Provider implements OpenID. In OpenID, credentials are centralised to a single OpenID Provider and implementing Consumers will require an alternate means of allowing authenticated Users to access their Service Resources via an API. OAuth is not an OpenID extension, but does complement it.

The implementation of OAuth is quite flexible, and the specification is marked "Core" to highlight the ability of Service Providers to create extensions and utilise more secure or different means of exchanging messages.

This package will implement the entirety of the OAuth Core 1.0 Final specification including both a Consumer and Server. It will also implement the OAuth Discovery 1.0 Extension at a minimum.
» Dependencies » Links
  • HTTP_Request
  • PEAR_Exception
  • Crypt_HMAC2
  • Net_URL2
» Timeline » Changelog
  • First Draft: 2007-10-15
  • Proposal: 2008-06-23
  • Pádraic Brady
    [2008-06-28 00:13 UTC]

    Updated proposal for new OAuth-0.0.2 package download adding support for RSA-SHA1 signing, corrected URL normalisation using Net_URL2 and enhanced support for the newly released OAuth support for all Google Data APIs.

    0.0.3 should be released over the weekend to facilitate some additional refactoring and patching of the test suite for a few things.
  • Pádraic Brady
    [2008-07-02 11:33 UTC]

    Almost complete - this 0.0.3 release aggregates a collection of changes implemented to complete the feature set of an OAuth Consumer, and to support several specification rules omitted previously.

    The library has been confirmed to work flawlessly with the Ma.gnolia API. Due to some quirks, it will fail using the Google Data APIs however a fix is due shortly. Please note this package will not operate on PHP 5.3 at this time due to an apparent undocumented API change to the OpenSSL extension being relied upon for RSA signing.

    Other comments? The unit tests are slightly out of sync with an API change which is awaiting a patch in the coming day or two. The failures are known, and the reasons for all fails/errors recognised.

    I expect to open the proposal to voting once the last change set and amended unit tests flagging a few API updates are committed. If you have problems getting this to work (e.g. on an RSA or POST intolerant SP) please let me know.