Protected Resler with Oauth

[eduh]

Are there examples how to protect Restler with OAuth ? Or are there ideas on adding OAuth features in the future ?

[nickl-]

We have briefly spoken about it and other auth methods too but there are many other things that also needs done.

Have you found reliable php modules, any leg work you can do to simplify implementation will go a long way to getting it done quicker. Looking forward to hearing more...

[yankeeinlondon]

I thought I'd seen this listed as something currently "under-way" for Restler 3.0 product. It certainly would make a big difference in it's usefulness. Put me down as a +1 for this feature. To you question about existing modules ... when I looked around for PHP oAuth servers the two that I bookmarked as potentially promising were:

1. Fuel-oAuth2. It has a lot focus on being a client but also has a server module too. Seemed quite extensible and modular. Still getting updates and has at least some modicum of documentation.
2. FriendsOfSymfony. A more recently updated fork of the Quizlet oauth server.

Can't say I've gone into this very far but hope this helps.

[eduh]

When on the clientside this package looks promising : http://www.phpclasses.org/blog/package/7700/post/1-Painless-OAuth-with-PHP.html

[dinacel]

I have implemented this library : https://github.com/fkooman/php-oauth-example-rs but it doesn't work with all flows (I only use the client-side flow with the "bearer"). I'd like to implement a rock solid one, but when I search for one I only view recent libs (don't know if the mainteners will be serious) or old libraries with a large bug list and no updates... OAuth 2 spec is a draft, so that's why my point of view is to search the best implementation (the easiest and readable) and with a good maintener because it deals with autorization.

[yankeeinlondon]

I have been impressed with the level and quality of conversation taking place on: https://github.com/bshaffer/oauth2-server-php

[arthurbouquet]

I'm using Andy Smith's basic PHP library for OAuth 1.0a (not using OAuth 2.x). -> http://oauth.googlecode.com/svn/code/php/ Everything is working well with Restler.

I'm also using this library as "client" to request some APIs secured secured with OAuth for php scripts, or directly in Javascript using jsOAuth (http://bytespider.github.com/jsOAuth/)

[Arul-]

@arthurbouquet can you contribute an OAuth 1.0 example for the restler community? just create a working example, I can do the clean up and polishing if needed

@ksnyde yes https://github.com/bshaffer/oauth2-server-php seems impressive, I'm looking at porting their demo app to work on Restler 3.0

[arthurbouquet]

@Arul- Let me clean my setup first (not using Restler's IAuthenticate implementation yet for example) and switch to Restler 3, then I'll share my OAuth 1.0a example with the restler community :-) I think I could do this by the end of new week. I'll keep you in touch!

For information, Andy Smith's library is easy to implement and works fine, but It only support OAuth 1.0a version. It's not a problem for me as I don't want to use OAuth 2.x for security reasons ( some reading here : http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ )

[nickl-]

Yeah! \o/

[yankeeinlondon]

Whoo Hooo!

[Arul-]

Just to update you guys, I've ported this example from SILEX to Restler 3 using https://github.com/bshaffer/oauth2-server-php as @ksnyde suggested

I need to iron out few things and document everything properly before release, should be done in a weeks time :)

[yankeeinlondon]

Awesome. A few weeks time is perfect timing for me as well. I love it when timelines line up.

[luceos]

I'll be keeping my eyes on this request and will be implementing the feature within a few months myself. So if I can help or test in any way, just let me know.

[Arul-]

HTML View in Restler 3

OAuth requires html to get user permission etc

I have started working on HtmlFormat which will act as a debug view when we do not specify a template

When we specify a view using @view comment which can be a php, or mustache or twig file it will render the data using the specified view

This can come in handy for many things, we should be able to build web apps or web sites using Restler :)

You all can monitor the progress at https://github.com/Luracast/Restler/tree/features/html

Your contributions as suggestions, code, or test cases or anything is greatly appreciated :)

[nickl-]

@arthurbouquet @Luceos @ksnyde @dinacel @eduh give some help for @Arul- on this please guys!

[chadhobson]

Any update on this from Arul? Specifically, a tut or any documentation of how you ported bshaffer's oAuth server? I've got it up and running beside Restler but not sure how to hook them together as I'm still way too new to Restler.

[ISTPdev]

I'm going to play devil's advocate here and try and convince you that it's not any good to use oAuth. But for those of you stubborn people. Just use the iAuthenticate class. It's the best solution that will work with any authentication scheme. Including all oAuth ones.

Because oAuth 2.0 is non-interoperable it will be near impossible to really "implement". So you should indeed focus on examples. By the way did I mention iAuthenticate?

Anyway moving on to some Resources and reading material that is a must if you are considering of implementing oAuth 2.0. Seriously... read these first!!

• OAuth - Wikipedia - A great resource, you'd be surprised how well they boil everything down for you.
• OAuth 2.0 and the Road to Hell - By former lead author & editor (3 years), resigned, said it was a bad protocol.
• OAuth - A great way to cripple your API - A more recent article I found that rationally explains why oAuth sucks.

The last article is just a must read. But it's long so let me TL;DR the it for you guys:

If you want your service to be used by everyone out there, be well supported by third parties, and to have them create all kinds of interesting software with it, do not use OAuth.

Even the original social networking sites behind OAuth decided they really need other options for different use-cases, such as Twitter's xAuth, or Yahoo offering Direct OAuth, which turns the entire scheme into a more complicated version of HTTP Basic Authentication, with no added benefits.

And, when I read that Comment on the page. I swear I actually Laughed out Loud:

I asked directly why they were switching to OAuth when their previous authentication methods were completely secure. His response was to say "Don't you know? OAuth is even more secure. It's the next generation of secure."

Let me close out by saying, that I don't mean to prevent anyone from using oAuth. It's your choice. But do not ask me to help you with oAuth. I simply do not want to work with it. That's all I'm saying. At the end of the day

OAuth is the new buzzword which has all the hype with none of the function.

Anyway, Don't take it personal if you take any offence. Just trying to help.

[chadhobson]

None taken at all. I've actually spent the last two days looking at the iAuthenticate class and, specifically, the example from the code. I think I've pretty much come to the conclusion that I can implement a similar authorization engine using a combination of keys and tokens that will be much simpler for everyone on both ends (provider and consumer).

For my particular needs, I essentially need three levels of access, which, for simplicity, I'll call "public", "protected" and "user".

I'll expose "public" methods like fetching the most recent ten posts to anyone who can make a GET call to my Restler URL. Done.

Then I'll have protected methods available only to clients with an access key and secret. These might include more advanced functions that I don't just want to give away or maybe I want to rate limit them like getting posts by category, time, etc. Again, just an example for simplicity.

Finally, I have these "user' tokens which would allow a client app to perform actions on behalf of a user such as making a post in their name. The client can pass a user's name/password (base64 encoded, perhaps) to get back a token which they can then use to interact with Restler (validated in iAuthenticate) ono behlaf of the user.

Stupid simple. Effective. What am I missing?

[ISTPdev]

Stupid simple. Effective. What am I missing?

I like Restler because of it's simplicity.

What I needed was server to server API with Authentication and it was just for me. To my surprise a simple token key works just fine. And because the browser or my specific connection is not involved in the actual request to the API, it cannot be stolen. And If I ever wanted to make the API accessible to non-apps where the request was made from my own home computer, then all I needed for a secure connection is the use of HTTPS on my domain.

oAuth is very complicated, and not any more secure at all then alternatives. So if it's simple and it works, you achieved your goal. Like mentioned, If you know some PHP, looking at the iAuthenticate class can get you pretty far.

[Arul-]

Guys,

Apologies for disappearing, and thanks for holding up. The feature I was waiting for (@format) is now completed and available on features\html branch

I just need to dust my old OAuth example and touch it up for the new feature compatibility

Hope to get it done this week

[bshaffer]

Wow, this is great! Please let me know how I can assist you in implementing my OAuth2 server library.

Once the Restler example is complete, we can add it to the cookbook documentation, which I hope to push live very soon.

[Arul-]

That will be great @bshaffer, thanks for your support :)

[yankeeinlondon]

If there's any way I can contribute to this documentation I'd be happy to help. I'm probably best off just starting as a reviewer but I don't mind getting my hands dirty if there's something I can contribute to the conversation.

@Arul- on a side note, do you still feel you're on track for EOW? No pressure, just wanted to try to plan around that as much as is possible.

[Arul-]

Hello Everyone,

I'm very glad to say that OAuth 2 example is finally in :) in the features\html branch

It is not documented at the moment, but here is what you need to do to try it out

OAuth 2 Demo on your localhost

1. download the latest copy from features\html branch
2. run composer update to make sure you have
   • twig template library
   • bshaffer's oauth2 libaray
3. make sure public/examples/_014_oauth2_client/cache and public/examples/_015_oauth2_server/cache have write permissions to create the compiled template files
4. make sure public/examples/_015_oauth2_server/OAuth2/db has write permission, this is where oauth.sqlite file be created at run time
5. point your browser to examples/_014_oauth2_client to play around

@bshaffer Please take a look and pass me your comments, currently I'm only using v0.3 your support to port it to v0.9 will be greatly appreciated :)

[Arul-]

:+1: @ksnyde you may help me by writing the documentation, take a look at how index.php is commented for examples below 013, you just need to add similar comment to index.php of 014 and 015

After trying out the demo, read the comments in both client and server classes, that should give a pretty good idea on what to write

Don't worry on being perfect, just write anything you feel is right, we can progressively improve it

[yankeeinlondon]

Awesome. Looking forward to digging into it this weekend!

On 17 July 2013 16:27, Arul notifications@github.com wrote:

[image: :+1:]@ksnyde https://github.com/ksnyde you may help me by writing the documentation, take a look at how index.php is commented for examples below 013, you just need to add similar comment to index.php of 014 and 015

After trying out the demo, read the comments in both client and server classes, that should give a pretty good idea on what to write

Don't worry on being perfect, just write anything you feel is right, we can progressively improve it

— Reply to this email directly or view it on GitHubhttps://github.com/Luracast/Restler/issues/68#issuecomment-21121045 .

[yankeeinlondon]

@Arul- I wanted to get the environment setup today in prep for the weekend work and I think maybe there's something a little broken at the moment. The initial page loads (as you can see below, I'm doing this over HTTP) but when you press the authorize button you get the error below:

Pressing "Authorize" leads to:

[bshaffer]

I've added this to our documentation: http://bshaffer.github.io/oauth2-server-php-docs/cookbook/restler/

If this gets updated (the branch changes, etc), you can submit a PR or open an issue. Thanks guys, good work!

[Arul-]

Thanks @bshaffer, I will submit the PR when there is an update

@ksnyde I noticed that Restler Autoloader is having trouble loading the OAuth2\Server class (will check that out later), thats why I'm manually including it.

Just make sure OAuth2\Server is available for index.php, then it should work as expected

[yankeeinlondon]

Yesterday was a wasted day due to my dog getting sick but I'm looking at it now. First obvious problem is that the example 014's button points to the wrong directory. I added /../ to the $serverUrl and it now works:

    public function __construct()
    {
        if (!self::$serverUrl)
            self::$serverUrl = dirname(Util::$restler->_baseUrl) . '/../_015_oauth2_server';
        self::$authorizeRedirectUrl = Util::$restler->_baseUrl . '/authorized';
        if (!self::$authorizeUrl) {
            self::$authorizeUrl =
                self::$serverUrl . '/authorize';
        }
    }

I'm still not sure the best way of communicating these things to you. Does this work or would you want me to fork and and do a pull request (something I've not done before but happy to give it a go).

[Arul-]

Sharing this way works, but pull requests are best. I will check this one out

[yankeeinlondon]

ok, i just forked and after pointing my webserver to the forked version I'm embarrassed to say it is working there. I have no idea why it would be different but don't waste your time on it right now.

[yankeeinlondon]

BTW, do you generate your readme.html from your readme.md files? Just trying to decide if authoring the markdown or html file is best. I'd prefer to just work off the markdown.

[Arul-]

You work only on index.php by looking at other index.php files as examples

comment in index.php and parsing the whole setup generates readme.md first and then readme.html

[yankeeinlondon]

Ok. Fancy. BTW, would you consider collapsing 014 and 015 into just one section? I think it will be more intuitive to the users to have a single section on OAuth integration.

[Arul-]

Nope, I thought about it first, but that wont work for various reasons

In a way it is good as we can write in detail about client and server

[yankeeinlondon]

Oh, is there a way for me to generate the md and html files just to see it working as I'm going through it?

[Arul-]

Not at the moment, that setup is not straight forward now, will work on it later

[yankeeinlondon]

Are bold and italics markdown valid for commenting?

[Arul-]

Yes. don't worry much about formatting, we can always get back to it later

[yankeeinlondon]

I'm a big fan of pictures and so this is my v0.1 drawing of the Authorization Code grant workflow. Comments? Thoughts?

[Arul-]

Its pretty good and clear :+1:

[yankeeinlondon]

Ok, have a very rough draft at:

 https://github.com/ksnyde/Restler

As is always the case with my first drafts ... it's too wordy. I'll cut that down in the next rev but I want to get an implementation up and running for me first and then I'll be able to write about it with more nuance. Please have a look and give me your comments. Also, if it's not too much effort it would be nice to see how this is turning out visually using your documentation generation process.

[Arul-]

I have pulled in and made some minor tweaks and pushed the changes back to features\html branch here, take a look

generated readme files will follow ( need to fix some bugs on the builder)

[Arul-]

@ksnyde I have committed the generated readme files along with some more tweaks

Check it out

Over all the documentation has come out very well :+1:

You can continue editing it further while I'm fixing the bugs in the help builder

[yankeeinlondon]

@Arul- I've made a few more changes. My editor got a little funny with the triple-backtick that I just added so might be worth checking that all is ok with it but it should be fine I think. Overall I think it's coming along quite nicely. I like your attention to detail around language ... it's always so important to be consistent and I knew there were some inconsistencies but it looks like you picked them up straight away. :^)

[Arul-]

Updated the readme files :)

FYI: Some of my language changes are just to compensate for the issues in my help building system ;)

[Arul-]

OAuth 2 is now present in V3 branch with Restler 3 RC4