Phpoauth client and server process and implementation introduction: 1, mainly used for third parties to obtain user resources is generally used for third-party login authorization to obtain user information 2, is a protocol RFC-5849 (not software or service) 3. authentication & amp; 43; authorization flowchart: php oauth client and server processes and implementations of various platforms:
1, mainly used for third parties to obtain user resources is generally used for third-party login authorization to obtain user information 2, is a protocol RFC-5849 (not software or service) 3, authentication + authorization
Flowchart:
Flowchart of each platform
163 |
Kaixinnet |
Sina Weibo |
|
|
|
Client and server implementation:
1. the flowchart shows that the following steps are required:
0. get the user Key and Secret (outside the flowchart) [server/create_consumer.php]
1. get Request Token and Request Secret [client/get_request_token.php] 2. return Request Token and Request Secret [server/request_token.php] 3. redirect authorization page -- "[server/authorize. php] 4. user authorization callback -- | 5. obtain Access Token and Access Secret [client/get_access_token.php] 6. return Access Token and Access Secret [server/access_token.php] 7. call the api (outside the flowchart) [client/get_api.php] 8. return the data obtained by the api (outside the flowchart) [server/api. php]
Code Directory structure
2. code implementation process
0: server/create_consumer.phpThe client generates the consumer key and consumer secret
';echo 'Consumer secret: ' . sha1(OAuthProvider::generateToken(40));
OAuthProvider: OAuth provider class
GenerateToken: generate a random token
GenerateToken is required for this function.Pay attention to performanceNote that the second parameter dev/random and dev/urandom are distinguished in terms of performance. this parameter is not described in detail. please optimize it according to your project.
For more information about the performance, see/dev/random Mcrypt.
Sha1: generate a signature using the HMAC-SHA1 algorithm
Baidu: OAuth requests can use HMAC-SHA1 or MD5 algorithm to generate a signature.
Sina Weibo: OAuth requests all use HMAC-SHA1 algorithms to generate signatures
Kaixinnet: signature method, currently only support HMAC-SHA1
Running result
1: client/get_request_token.php GET Request Token and Request Secret
GetRequestToken ($ request_url .'? Callback_url = '. $ callback_url. '& scope = all'); session_start (); $ _ SESSION ['Oss _ token_secret'] = $ tokenInfo ['Oss _ token_secret ']; // redirect to the server for authorization and display it to the user header ('Location :'. $ authorize_url. '? Oauth_token = '. $ token_info ['Oss _ token']);?>
The above code will pass
GetRequestToken ($ request_url .'? Callback_url = '. $ callback_url.' & scope = all') run the server code
2: server/request_token.php returns request_token
Get $ oauth_token, $ oauth_token_secret, and oauth_callback_confirmed from code 1 in 2.
Then redirect to 3
3: server/authorize. php authorization verification this should be called back after the user enters the account and password. for the most basic implementation of the code, the default authorization between users is omitted.
Here, the verification is simple. the third-party callback address has been directly authorized by default. (normally, after the user authorizes the server to obtain the third-party callback address through the database and grant the oauth_token permission, the oauth_token remains Unauthorized)
The above code uses the callback address to pass the authorized request_token (oauth_token) to 5 (4. you can pass the authorization here and add a form to submit for authorization verification)
5: client/get_access_token.php get access token
SetToken ($ _ GET ['Oss _ token'], $ _ SESSION ['Oss _ token_secret ']); $ tokenInfo = $ oauth-> getAccessToken ($ access_url ); var_dump ($ tokenInfo );
$ TokenInfo = $ OAuth-> getAccessToken ($ access_url); Method 6
6: server/access_token.php returns access token
2: get_request_token until 6: server/access_token.php process to obtain request_token -- "return request_token --" user authorization verification authorize -- "callback for verification success -- get access token --" return access token
The running result is as follows:
Always redirect to get_access_token and get the access_token and access_secret
Now our client (a third-party platform) obtains the following data: $ consumer_key: 2b4e141bf09beecdeb3479cd106038100febf399
$ Consumer_secret: fab40ca819c25d5fb4abf3e7cae8da5c25b67d05
$ Request_token :? Program intermediate data (this data is generally valid) $ request_secret :? Intermediate program data (this data is generally valid)
$ Access_token: Hour (this data generally has an unlimited validity period) $ access_secret: c77463aff2c1abbd670cfb03df4bb00007910cb78 (this data generally has an unlimited validity period)
Now we can use these parameters to run 7: get_api.php to 8: api. php7: client/get_api.php to obtain api user data.
setToken($access_token, $access_secret);$result = $OAuth->fetch($api_url, array(), OAUTH_HTTP_METHOD_POST);echo $OAuth->getLastResponse();
8: server/api. php returns user data
consumer_secret = 'fab40ca819c25d5fb4abf3e7cae8da5c25b67d05'; return OAUTH_OK;}function timestampNonceHandler($Provider) { return OAUTH_OK;}function tokenHandler($Provider) { $Provider->token = '12b6f8f6d6930e0e4d1d024c0f520527d0b84d19'; $Provider->token_secret = 'c77463aff2c1abbd670cfb03df4bb4247910cb78'; return OAUTH_OK;}$OAuthProvider = new OAuthProvider();$OAuthProvider->consumerHandler('consumerHandler');$OAuthProvider->timestampNonceHandler('timestampNonceHandler');$OAuthProvider->tokenHandler('tokenHandler');try { $OAuthProvider->checkOAuthRequest();} catch (Exception $exc) { die(var_dump($exc));}echo 'User Data..';
Download running resultNote: After php oauth v1.0 is configured and php_curl is enabled, the above code can be run.