|
|
 Ecxzqute Rhaiga - 2013-06-05 12:35:07 Hi sir Manuel,
I am currently studying oauth and happened to found your API. First, I would like to thank you for it cause it has helped me saved a lot of time in understanding oauth protocol.
I have used facebook, twitter, yahoo, google, linkedin, flickr and instagram as my selected servers and except from the three that I have previously mentioned that keeps on asking authorization once session is destroyed.
(I'm sorry but I have been scratching my head for a couple of days now so I decided to asked this directly to you. ) Thank you in advance!
This is how I am using your API:
1. I have client local sites that access' oauth site.
2. Redirects to oauth site and forwards to selected oauth server.
3. Goes back to oauth site and then to client site with returned user data.
4. Upon going back to client site, I use to destroy the session created on my oauth site. (The reason why I am doing this is that if I don't destroy the session, even if I have already logged out from my social media account, the oauth site will still give the previously retrieved user data, but this is also the main reason for my question)
The problem:
1. Twitter, Yahoo and Flickr keeps on asking authorization even if they're already authorized.
2. (Concerns all servers - Session not destroyed) Once access token is retrieved, even if i have already logged out from e.g twitter and or facebook, clicking facebook or twitter icon from client site oauth site automatically returns the previously retrieved user data without checking if user is still logged in with the selected server.
The Question:
1. How am I going to make Twitter, Yahoo, Flickr and maybe other servers to behave like facebook, google or linkedin that once it's authorized it will not repeat itself from asking authorization?
2. Using your Oauth API, how can I detect if the user is still logged in or not to his/her selected oauth provider and calls the appropriate login page for each selected provider and not by only relying on the previously accquired access token?
I hope you can help me with this..
Any reply is very much appreciated.
Mhond
 Manuel Lemos - 2013-06-06 02:14:06 - In reply to message 1 from Ecxzqute RhaigaI am not sure what you mean by "session is destroyed".
By default the class uses session variables to keep track of values that identify the user when he returns from the OAuth server site.
If you destroy those session variables, the class does not recognize the user and the OAuth process is restarted.
Anyway, logging out of Facebook or Twitter sites has nothing to do with API access using OAuth tokens.
OAuth tokens are just for accessing those sites APIs on behalf of the user when the user is not present. So it does not matter if the user is logged in or logged out of those sites.
Destroying your site session variables has no effect on the user login state in Facebook or Twitter because those are separate sites. So, there is no point in destroying your site sessions.
Ecxzqute Rhaiga - 2013-06-06 06:56:34 - In reply to message 2 from Manuel LemosI have managed to incorporate your api with codeigniter integrated some of your examples into one. here's a part of my code:
$provider = $_SESSION['provider'];
$apikey = $sso->getAPIKey( $provider );
$apiurl = $sso->getAPIUrl( $provider );
$apiqry = $sso->getAPIQuery( $provider );
$apiscp = $sso->getAPIScope( $provider );
$aux = new Auxilliary();
$scheme = $aux->getProtocol();
$client_id = $apikey['id'];
$client_secret = $apikey['secret'];
$scope = $apiscp;
$client = new oauth_client_class;
$client->server = $provider;
$client->redirect_uri = 'http://'.$_SERVER['HTTP_HOST'].
dirname(strtok($_SERVER['REQUEST_URI'],'?')).'/authenticate';
$client->client_id = $client_id;
$client->client_secret = $client_secret;
$client->scope = $scope;
if( strlen( $client->client_id ) == 0 || strlen( $client->client_secret ) == 0 )
die('Error: Invalid Client!');
if( ( $success = $client->Initialize() ) ) {
if( ( $success = $client->Process() ) ) {
if( strlen( $client->access_token ) ) {
$success = $client->CallAPI(
$apiurl,
'GET', $apiqry, array('FailOnAccessError'=>true), $user);
}
}
$success = $client->Finalize($success);
}
if( $client->exit )
exit;
if( $success && isset( $user ) ) {
//1. process user data here
//1. according to user's selected oauth provider/server
//1. using switch statement
//2. assign data
$data['userid'] = $userid;
$data['name'] = $username;
$data['first_name'] = $firstname;
$data['middle_name']= $middlename;
$data['last_name'] = $lastname;
$data['gender'] = $gender;
$data['email'] = $email;
$data['picture'] = $picture;
$_SESSION['user'] = $data;
// build redirect url
$location = $_SESSION['returl'].'?success=true&openid='.serialize($_SESSION);
// this is where I use to destroy the oauth site session
session_destroy();
echo "<script>
window.close();
if (window.opener && !window.opener.closed) {
window.opener.location = '".$location."';
}
</script>";
die();
}
Manuel Lemos - 2013-06-06 08:25:25 - In reply to message 3 from Ecxzqute RhaigaDestroying the session there does not affect the OAuth authorization process.
However, since access token values are stored in the session variables, next time this script is accessed, the whole OAuth authorization process is restarted.
Other than that, I suspect your system is vulnerable because you pass session values via the URL when you redirect the opener window location.
If the code handling that location does not verify the validity of the data passed in the openid parameter, your system may be susceptible to malicious data injected into that script.
Ecxzqute Rhaiga - 2013-06-06 09:06:17 - In reply to message 4 from Manuel LemosThank you for your quick response for my inquiries sir Manuel :)
I am so grateful for that. Anyway I think the answer is already in my code..
Regarding the security of my system, yes, it is currently vulnerable. I intend to secure this once my concerns are fixed..
|
