Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current  |   View Page History

<ac:macro ac:name="unmigrated-inline-wiki-markup"><ac:plain-text-body><![CDATA[

Zend Framework: Zend_Oauth Component Proposal

Proposed Component Name Zend_Oauth
Developer Notes
Proposers Pádraic Brady
Matthew Weier O'Phinney, Zend liaison
Revision 1.0 - 17 June 2008 (wiki revision: 13)

Table of Contents

1. Overview

The OAuth protocol was published in its final Specification 1.0 on 4 December 2007. It is a protocol allowing websites, web applications or desktop applications to access Service Resources via an API without requiring Users to disclose their credentials. It is an open and decentralised protocol.

A simple use case would be Twitter. At present, Twitter applications such as Spaz.air or Twitterer usually require a User's login username and password (their credentials) in order to access the timeline of other Users they are following or send updates (tweets). This raises a risk that such applications may use those credentials to change the User's password, send "tweets" without their permission, or other unauthorised actions allowable through authenticating with a username/password.

Implementing OAuth, such an application would be able to perform limited authorised actions without requiring Users to disclose their credentials. In effect, this is similar to establishing an API Key and indeed OAuth builds upon existing standards. But the net effect is one of limited access, with OAuth external applications are given defined limited authorisation which can be limited according to function, resource or timeframe.

OAuth is therefore perfect also in situations where a Service Provider is not aware of a User's credentials, as is the case when a Provider implements OpenID. In OpenID, credentials are centralised to a single OpenID Provider and implementing Consumers will require an alternate means of allowing authenticated Users to access their Service Resources via an API. OAuth is not an OpenID extension, but does complement it.

The implementation of OAuth is quite flexible, and the specification is marked "Core" to highlight the ability of Service Providers to create extensions and utilise more secure or different means of exchanging messages.

Future Developments

It's worth noting that OAuth is not a static protocol. Discussions for an OAuth Core 1.1 Specification have been underway for some time and recently entered public comment stage. These changes will be rolled into future Zend_Oauth iterations as a matter of course. The expected changes include:

  1. Adoption of standard error codes and human readable error messages in responses (required for simple interoperability across all Service Providers)
  2. Adoption of a Service Provider Discovery protocol similar to OpenID (i.e. XRDS-Simple and Yadis)
  3. Inclusion of language determination
  4. Clarification of scaling and security concerns

In addition the Core 1.0 Specification may be extended through the use of Extensions. Several draft Extenstion Specs are already doing the rounds:

  1. OAuth Session Extension Draft 0.1
  2. OAuth Discovery 1.0 Draft 2

Also, while waiting for Zend_Service_Yadis approval there is already need for a major revision and updated testing suite to support new specification drafts:

2. References

See above for copies of related Specifications and Draft Specifications.

3. Component Requirements, Constraints, and Acceptance Criteria

  • This component will implement the entirety of the OAuth Core 1.0 Final specification including both a Consumer and Server
  • This component will implement the most recent draft of the OAuth Discovery 1.0 Draft Specification

4. Dependencies on Other Framework Components

Zend_Crypt_Hmac (Incubator)
Zend_Crypt_Rsa (Proposed)
Zend_Service_Yadis (Proposed)

5. Theory of Operation

Hypothetical Example:

A Service Provider engaged in allowing User's to answer one question "What are you NOT doing?" has determined that requiring User credentials to access their Web Service API is unnecessarily risky. To improve User security, ease development by adopting an open standard, and allow for future OpenID adoption, they determine to implement OAuth 1.0.

The Service Provider provides to Developers details of how to register for a Consumer Key and Consumer Secret, and declares several new URLs including:

Request Token URL:, using HTTP POST
User Authorization URL:, using HTTP Authorize Header
Access Token URL:, using HTTP POST

The Service Provider provides support for HMAC-SHA1 message signatures. RSA-SHA1 is also a possible alternative (though not for this example! ).

1. Obtaining an initial Request Token (Requesting Approval)

Joe Bloggs, a User, visits a third-party web application from which he wishes to view and post new updates to the Service Provider. The application tries to access the User's posts but receives a HTTP 401 Unauthorized header including the following response header:

WWW-Authenticate: OAuth realm=""

The application sends back a HTTP POST request:

The Service Provider verifies the oauth_signature value and sends back an unauthorised (requires User authorisation) Request Token in the response body:


2. Obtaining User Authorisation of Request (Approve Request)

The application at this point redirects the User to the Service Provider Authorization URL so that Joe can approve the application's access to the Service Provider.

Joe will log in using either his credentials, or via OpenID. He may then approve the application's access, set limits, and perhaps even time the access to a specific timeframe. Once approved, the Service Provider will redirect back to the Consuming web application with:

3. Obtaining an Access Token on foot of an approved Request Token (Gaining Access)

Now that the web application is approved for access, they can request an Access Token to replace the Request Token:

The Service Provider will check the signature, and reply with an Access Token in the response body:


The Consuming application is now ready to make authorised requests of the Web Service API. If the Web Service API URL is unsecured (not HTTPS) then subsequent requests must be signed using HMAC-SHA1 to protect the Access Token from being intercepted and being used by an unauthorised party.

Security Notes: PLAINTEXT style requests are intended only for use across a secured connection. Otherwise a cryptographic method such as Diffie-Hellman may be utilised (unspecified by OAuth 1.0 of course). Consumer Access Tokens should not be used to assume a Consumer is a User. Access Tokens should allow only limited authorised actions. Phishing remains an issue. Users must be careful that Service Provider URLs they are redirected to for entering credentials are authenticated.

6. Milestones / Tasks

  • Milestone 1: Write unit tests capturing the agreed interface and behaviour
  • Milestone 2: Write the code required to pass all unit tests
  • Milestone 3: Write integration tests to cover various edge cases
  • Milestone 4: Verify that code operates under PHP 5.3 (an Openssl API issue)
  • Milestone 5: Complete documentation

7. Class Index

  • Zend_Oauth
  • Zend_Oauth_Consumer
  • Zend_Oauth_Server
  • Zend_Oauth_Http
  • Zend_Oauth_Http_RequestToken
  • Zend_Oauth_Http_AccessToken
  • Zend_Oauth_Http_UserAuthorisation
  • Zend_Oauth_Http_Utility
  • Zend_Oauth_Client
  • Zend_Oauth_Token
  • Zend_Oauth_Token_Request
  • Zend_Oauth_Token_Access
  • Zend_Oauth_Token_Access
  • Zend_Oauth_Exception

Others may be determined during development

8. Use Cases

Use cases are currently being drafted.


A start to finish example using the Ma.gnolia API:

9. Class Skeletons

Please refer to ongoing development in my subversion repository


Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.