Forum: Bugs and Issues

This forum is specific to reporting bugs and issues with the framework.
-10-5Prev| 3 / 49 |Next+5+10

How do I implement this OAuth in Qcodo?

thread: 5 messages  |  last: a year ago  |  started: sunday, march 28, 2010, 8:48 am pdt

 
 

#1  |  kingwithin (San Francisco, CA) United States of America
Sunday, March 28, 2010, 8:48 AM PDT

I got my OAuth working in just plain PHP, but want to make it fit within the framework.

Basically, the file below, getAccess.php, uses the class oauth.php, to run through the steps necessary to generate two tokens necessary to authenticate.

I am assuming that I would put most of the code in getaccess.php as the class. (Let's say I call it Login.class.php.  That class will require_once(oauth.php).

The QForm isn't really used since now form is actually displayed on that page...?

Help, just trying to wrap my head on the best way.

The form outputs the value but really doesn't display it after I made modifications because now it just redirects and stores the returned value of the tokens in the session.

<?php

session_start();

require_once("OAuth.php");  



 

$app_token "YOUR APP TOKEN GOES HERE";




$app_key "YOUR APP KEY GOES HERE";




$domain "https://api.linkedin.com/uas/oauth";

$sig_method = new OAuthSignatureMethod_HMAC_SHA1();



$test_consumer = new OAuthConsumer($app_token$app_keyNULL);

$callback "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']."?action=getaccesstoken";





# First time through, get a request token from LinkedIn.

if (!isset($_GET['action'])) {



        $req_req OAuthRequest::from_consumer_and_token($test_consumerNULL"POST"$domain "/requestToken");

        $req_req->set_parameter("oauth_callback"$callback); # part of OAuth 1.0a - callback now in requestToken

        $req_req->sign_request($sig_method$test_consumerNULL);

        

        $ch curl_init();

        // make sure we submit this as a post

        curl_setopt($chCURLOPT_POSTFIELDS''); //New Line

        

        curl_setopt($chCURLOPT_RETURNTRANSFER1);

        curl_setopt($chCURLOPT_SSL_VERIFYPEER0);

        curl_setopt($chCURLOPT_HTTPHEADER,array (

                $req_req->to_header()

        ));

        curl_setopt($chCURLOPT_URL$domain "/requestToken");

        curl_setopt($chCURLOPT_POST1);

        

        curl_setopt($chCURLINFO_HEADER_OUTtrue);

        

        $output curl_exec($ch);

        

        $info curl_getinfo($ch);

                 

        curl_close($ch);

        

        //echo "</br> OUTPUT: </br>";

        //echo $output;

        

        //print_r($req_req);  //<---- add this line



         //print("$output\n");  //<---- add this line



        parse_str($output$oauth);

       



        # pop these in the session for now - there's probably a more secure way of doing this! We'll need them when the callback is called.



        $_SESSION['oauth_token'] = $oauth['oauth_token'];

        $_SESSION['oauth_token_secret'] = $oauth['oauth_token_secret'];



    //echo("token: " . $oauth['oauth_token'] . "</br>");

    //echo("secret: " . $oauth['oauth_token_secret']);



        # Redirect the user to the authentication/authorisation page. This will authorise the token in LinkedIn

        Header('Location: ' $domain '/authorize?oauth_token=' $oauth['oauth_token']);

        print 'Location: ' $domain '/authorize?oauth_token=' $oauth['oauth_token']; // <---- add this line

 





} else {

        # this is called when the callback is invoked. At this stage, the user has authorised the token.

        # Now use this token to get a real session token!



         //print "oauth_token = [[".$_REQUEST['oauth_token']."]]\n";echo "<br/><br/>";

        

        $req_token = new OAuthConsumer($_REQUEST['oauth_token'], $_SESSION['oauth_token_secret'], 1);

        $acc_req OAuthRequest::from_consumer_and_token($test_consumer$req_token"POST"$domain '/accessToken');

        $acc_req->set_parameter("oauth_verifier"$_REQUEST['oauth_verifier']);  # need the verifier too!

        $acc_req->sign_request($sig_method$test_consumer$req_token);



        $ch curl_init();

        curl_setopt($chCURLOPT_POSTFIELDS''); //New Line

        curl_setopt($chCURLOPT_RETURNTRANSFER1);

        curl_setopt($chCURLOPT_SSL_VERIFYPEER0);

        curl_setopt($chCURLOPT_HTTPHEADER,array (

                $acc_req->to_header()

        ));

        curl_setopt($chCURLOPT_URL$domain "/accessToken");

        curl_setopt($chCURLOPT_POST1);

        $output curl_exec($ch);

        if(curl_errno($ch)){

            echo 'Curl error 1: ' curl_error($ch);

        }

        curl_close($ch);

        parse_str($output$oauth);

        

        

        $_SESSION['oauth_token'] = $oauth['oauth_token'];

        $_SESSION['oauth_token_secret'] = $oauth['oauth_token_secret'];

    echo("<BR><BR>Put These Variables in useAccess.php:");

    echo("<BR>User's token: " $oauth['oauth_token']);

    echo("<BR>User's secret: " $oauth['oauth_token_secret']);

}
.bc
#2  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Monday, March 29, 2010, 7:51 AM PDT

I would take a look at the Login/Logout/Authenticate/etc. code in the Qcodo.com website code at the qcodo-website repository on github.  Most of that code is in QApplication.class.php, which is where I recommend most folks place their login/authentication-based code.  You could then simply change out the db-lookup/session-based code that is in use for Qcodo.com with the logic needed to use o-auth.

You can also look at the Login page to see how a QForm would interface with those methods in QApplication.class.php.  And one final thing is to view the post_initialization_setup.inc.php in the includes/auto_includes folder.

Note that a few of us are in the process of trying to figure out and move forward on a “qcodo sample app” which would of course encapsulate and document “common qcodo best-practices” for everything, including things like login and authentication.  But until the sample app is done and gets posted (which honestly will not be for a while), the qcodo.com website code can be used as a very good example.

#3  |  kingwithin (San Francisco, CA) United States of America
Tuesday, March 30, 2010, 4:24 PM PDT

What am I looking for in post_initialization_setup.inc.php?

The OAuth first directs the user to the LinkedIn site to put in their credentials, then upon success gives a token, and then redirects back into the application.

What is it that we need to put into the Qapplication.inc.php?

I guess I'm not exactly clear what we do once we've been authenticated and now have the tokens in the session?

#4  |  Mike Ho (Sunnyvale, CA) United States of America Qcodo Administrator
Thursday, April 1, 2010, 12:51 PM PDT

post initialization setup actually makes the call to recover any login data from session.

placing into qapplication is merely an architectural design / decision (you were asking for “the best way” which I thought meant you wanted to here a recommended approach using Qcodo-based architecture / design principles) -- the idea is consolidating application-level logic into a single location (e.g. qapplication).  By no means is this a technical requirement.

If you have tokens in session, then you know the user is logged in, so therefore any calls to authenticate() would simply check to ensure this, and carry on with the logic to render/display the page without interrupting anything.

#5  |  kingwithin (San Francisco, CA) United States of America
Thursday, April 1, 2010, 1:03 PM PDT

Yah, after thinking about it based on your post, I decided to put at least the actual tokens into the Qapplication which makes sense, thanks.




 
 

John 3:16  •  Romans 12:1-8
Copyright © 2005 - 2012, Quasidea Development, LLC
This open-source framework for PHP is released under the terms of The MIT License.