OAuth - Realtime Web Apps: With HTML5 WebSocket, PHP, and jQuery

HTML and CSS Reference

In-Depth Information

OAuth Developer Workflow

The developer workflow for implementing OAuth in an app is fairly straightforward:

1.

Your app sends the user to the authorization endpoint , or uniform resource indicator

(URI), through which the API exposes an action, along with its credentials, its own

authorization endpoint, what permissions it requires, and a security token.

2.

The authorization endpoint for the service asks the user to confirm that your app is

allowed to access the API on the user's behalf.

3.

Assuming the user grants access, the service redirects the user back to your app's

authorization endpoint, along with authorization code and the security token from step 1.

4.

Your app requests an access token from the service's token endpoint by sending the

authorization code received in step 3, plus its credentials and your app's authorization

endpoint again.

5.

The service authenticates your app, checks the authorization code, and sends back an

access token that can be used to access the user's data via the service's API.

Using a real service as an example, let's look at the actual endpoints used by Facebook's OAuth 2.0 2 implementation.

Building the Login Link

The first step for an app requesting access to a user's data is to direct the user to the service provider's authorization

endpoint. The endpoint URI to do this for Facebook is https://www.facebook.com/dialog/oauth , and the app has to

send its client_id , redirect_uri , scope , and state along with the request.

Assuming that users should be redirected to http://app.example.org/login.php after granting access to the

app, a login link for the app might look like this:

https://www.facebook.com/dialog/oauth? client_id =YOUR_APP_ID& redirect_uri =

http%3a%2f%2fapp.example.org%2flogin.php& scope= email& state= 73ef0836082f31

■ the value of client_id is a unique value provided by Facebook once you have registered your app. the

current value, YOUR_APP_ID , is a placeholder and should be replaced with your own app's credentials. don't worry about

registering your app just yet; we'll walk through that process later in this chapter during exercise A-1.

Note

This example uses the GET method to send parameters to the endpoint. To make them easier to spot, they're

shown in bold.

client_id is the public identifier Facebook generates for the app after it is registered. It lets

Facebook know who requests access.

•

redirect_uri is the URI to which the user should be redirected after authorizing the app.

This URI is your app's authorization endpoint, where the app will process the data sent

by Facebook.

•

https://developers.facebook.com/docs/authentication/server-side/

2

Realtime Web Apps: With HTML5 WebSocket, PHP, and jQuery

Search WWH ::

Custom Search

Home