160 likes | 188 Views
A Trio of Auth Sources for simpleSAMLphp. TF-EMC2 Tuesday, February 15 th , 2011 Brook Schofield Project Development Officer brook@terena.org www.terena.org. Spend 3 days over Christmas on Auth Sources for simpleSAMLphp …. LinkedIn Business/Professional Contact Directory OAuth
E N D
A Trio of Auth Sources forsimpleSAMLphp TF-EMC2 Tuesday, February 15th, 2011 Brook Schofield Project Development Officerbrook@terena.orgwww.terena.org
Spend 3 days over Christmas on Auth Sources for simpleSAMLphp… • LinkedIn • Business/Professional Contact Directory • OAuth • MySpace • 2nd Place to Facebook • OAuth • Windows Live ID (Messanger Connect) • Big User Base (Hotmail, MSN) • Tried OpenID (then stopped) • Uses OAuth-WRAP (prelude to OAuth 2.0)
Plan was easy! • I’ve previously patched Twitter + Facebook • Copy + Paste Andreas’authtwitter module • …but Twitter is sloppy! • OAuth handling is very lax • authtwitter is a bad example :-( • Shared Data Structure came back to bite me. • LinkedIn is very strict! • Two main components for an authsource • lib/source/AuthSource.php • authenticate() and finalStep() • linkback.php • Calls finalStep()
MySpace • 2nd big Social Networking Platform. • Just opened an Australian office. • Wasn’t for Sale.
MySpace • Very good dev tools + REST web client.
LinkedIn • OAuth • …but very strict • Required POST rather than GET + HEADERS
LinkedIn • https://api.linkedin.com/uas/oauth/requestToken • POST (current code uses a GET) • Callback should be here! • https://www.linkedin.com/uas/oauth/authenticate?oauth_token=94ab03c4-ae2c-45e4-8732-0e6c4899db63 • REDIRECT • Twitter puts the Callback here :-( • https://api.linkedin.com/uas/oauth/accessToken • POST (current code uses a GET) • https://api.linkedin.com/v1/people/~ • GET (API to return user data) • Set Header: x-li-format: json for JSON response
Windows Live ID • AKA Messenger Connect
Windows Live ID • 50k PHP Library from Microsoft – but replaced it with… • $authorizeURL = 'https://consent.live.com/Connect.aspx' • . '?wrap_client_id=' . $this->key • . '&wrap_callback=' . • urlencode(SimpleSAML_Module::getModuleUrl('authwindowslive') • . '/linkback.php') • . '&wrap_client_state=' . urlencode($stateID) • . '&wrap_scope=WL_Profiles.View,Messenger.SignIn’ • ; • parse_str($result, $response);
Use on the TERENA SPProxy… • Not unless it’s in simpleSAMLphp • TERENA Policy? • Dyonisius Policy? • Encourages Collaboration! • If it’s good enough for TERENA it should be good enough for the community! • Dyonisius will tell you later today how it works.
…future & TODO • Why no Generic OAuth? • Data APIs too specific • OpenID3.0 Connect • OpenID 2.0 isn’t really there either. • OAuth 2.0 • Facebook Graph API
brook@terena.org +31651553991 sip:schofield@terena.org skype://brookschofield @BrookSchofield facebook.com/brook.schofield linkedin.com/in/brookschofield Questions?“I’m not advocating it! I just wrote the code.” KristofBajnok