OAuth2 in 8 Steps
Transform your OAuth understanding by grappling with real-world situations, dealing with token expiration and refresh tokens.
- 5148 students
- EN Captions
- EN Script
- Certificate of Completion
Your Guides
About this course
Tip
The code in this tutorial is now out-of-date, however the fundamental concepts of OAuth that we teach are still 100% valid.
OAuth2: that mystical beast that you kind of understand and occasionally wrestle to integrate with some social media site.
Time to master OAuth2... and why not do it by building a real app with farmers, chickens and real-life providers like Facebook and Google Plus. We'll show you how OAuth really works while looking at how OAuth will feel by using SDK's and other tools that give you shortcuts.
And like always, we'll go directly at the ugly details, like token expiration and having a user deny access to your application. Here's what you'll be learning:
- 3 main OAuth grant types: client credentials, authorization code and implicit;
- The exact flow behind getting your application authorized, exchanging an authorization code for a token, and using the token;
- Authentication (single sign-on) using OAuth;
- Handling expired tokens;
- Using refresh tokens;
- Integrating and authentication with Facebook;
- OAuth integration with Google+;
- What to look out for with security and how you can tighten things.
Next courses in the Dev Tools: Programming Snacks! section of the Dev Tools Track!
75 Comments
Hey Ahammad Karim!
Do you have some specific questions about OpenID Connect? It's based on OAuth, so the flow is the same that you see here. This is a nice article describing it a bit: https://auth0.com/docs/prot.... As far as I understand, the big difference is that it formalizes how you get user information: when you get your access token, you can *also* get an "ID token", which is a JSON web token (JWT) that, when decoded, contains user information. This is slightly different than what we were doing in this tutorial, where we would (A) get the access token and then (B) use it to make an API request for user information. With OpenID Connect, you get all of the information you need with step (A). I'm far from an expert on it, but this is my impression ;).
Cheers!
Hi, great tutorial. Any update on when the rest of the vids will be up?
Aw, thanks Anthony :). We'll get everything up for you by Feb 1, with updates through the week.
Cheers!
Hey @Thorsten!
JwtBearer isn't included in the tutorial currently. We thought about it - and Brent has actually worked with it a bunch - but decided not to include it originally. But now, we may consider adding it as a blog post or a small tutorial :).
Cheers!
That would be great. I'm currently using oauth in combination with apigility (http://apigility.org). Since th API is mostly used for inter-machine communication (iOS, Android, Web) the clients will get rsa 2048 certificates.
We've talked about doing a short screencast to cover JWT-Bearer and JWT tokens in general, covering the basics, as well as the different values that can be populated in the JWT header. In addition, we've discussed doing a short screencast on OpenID Connect. What other specifics would you like to see in a screencast like this?
Looks good to me. Maybe some scoop checking additionally.
Thanks Josh! We're aware and it's on our list to update. Until then, the course is still teaching all the right stuff, but the code examples using Guzzle (if you're coding along) will need to be updated.
Cheers!
No one seems to have pointed out that despite this page saying "Click the Download button on this page to get the starting point of the project," there is in fact no "Download" button anywhere on the page.
Hi there!
The "Download" button only shows up if you own the course, even for the free chapters - that's our bad (it's on our bug tracker). However, you can download the starting code directly from GitHub - it's exactly the same as the code download :) https://github.com/knpunive...
Thanks!
Hey Rufnex!
Not currently - it's just not high enough on the priority list, sorry :/. The concepts are all still legit - but the code is definitely ANCIENT. I hope we could do it next year some time, but it depends on what other tutorials we want to make and how much watch time this one is getting. But comments like this are definitely a +1 vote for doing it :).
Cheers!
i'm doing quite well with the tutorial so far. i'm already looking forward to the further content you'll be presenting.
Hey Axel,
This course is all about OAuth2 and how to use it. If you're looking for restful API, you can take a look at other specific courses we have, see courses in this track: https://symfonycasts.com/tr... . I suppose you would need to combine knowledge of a few courses to achive what you're looking for.
Cheers!
I'm trying to allow users to register and login with Google and Facebook with a Symfony 4.2 application. I've been using FOSUserBundle, but that seems to have fallen out of favor. This tutorial is about 5 years old, is it still relevant, or can you recommend where to start for a "Best Practices" on this? https://github.com/hwi/HWIO...
Thanks!
Hey Michael,
First of all, this course is still relevant. But this course is a bit specific. If you want better to understand the whole process of OAuth - definitely take a look at it. But if you just want to do login/register via some social networks, you can start with HWIOAuthBundle docs or with knpuniversity/oauth2-client-bundle that is more low level but more flexible, so with it you won't need to override things if you want to do something custom in comparison with HWIOAuthBundle. But it depends on your case.
I hope this helps.
Cheers!
Yeah, it was a deal for me to connect authorization with Google+ and Facebook. Would be useful.
Hi, do you have any estimates when this tutorial will be available?
We're about to start recording, so we should start releasing parts during the next 2 weeks :).
At last available, excellent! Great topic selection, as always. Looking forward to it :)
For those working on windows / xampp, the following would be helpful if you run into sqlite db creation error from the downloaded files (client\data\rebulid_db.php - line 19)
http://stackoverflow.com/qu...
I had to remove the slash '/' after the colon ':' which ended up being...
$db = new PDO(sprintf('sqlite:%s', $dbfile));
Hi! Are the "using refresh tokens" and "tightening up security" parts going to be available soon?
Hey @john! Yes, look for them as early as tomorrow actually :)
Not on purpose! :) Thanks for letting me know - the text for the chapter is back now!
Cheers!
Hello, my name is Roman.
Could you please explain me. Why do we need to request authorization code to get access token? In such way we have two steps:
* on first step we send client id to server and get authorization code from server,
* on second step we send authorization code from previous step, client id and client secret and get access token.
But in previous lesson we just requested access token by using only client id and client secret without authorization code.
Oh, I think I've understood. By using authorization code we can get access to any account on remote server, otherwise we can access only to own account. Am I right?
Hi Roman!
Yes, you're absolutely right. When we use the "client credentials" grant type, it's really limited. Our final access token only has access to do things to our application (or often, the user that created the application). When we use the authorization code to get the access token, it does 3 things:
1) It tells the server which user we want permission to "act as" (because the server keeps track of which authorization code is for which user)
2) It tells the server which scopes (i.e. permissions) the user has approved for us to have
3) It proves that the user has actually authorized us to have these privileges (since we couldn't easily guess a valid authorization code, and they have a really short lifetime).
So again, you figured it out! Hopefully these details help even more.
Cheers and thanks for the great question!
// src/OAuth2Demo/Client/Controllers/CoopOAuthController.php
// ...
public function redirectToAuthorization(Request $request)
{
$url = 'http://coop.apps.knpunivers...
'response_type' => 'code',
'client_id' => '?',
'redirect_uri' => '?',
'scope' => 'eggs-count profile'
));
var_dump($url);die;
}
How can i implement this http_build_query in java??
Hey Niket!
Unfortunately, I can't say how this is done in Java :). You could of course do it manually by building an array and then manually turning that into the correct string, but there's probably a better way.
Cheers!
there is a problem in the data if i use any old token it will give the same scope with was used to generate token. if i give the scope egg count only and then i generate the token it will work correctly but if i use the old token which i used to collect eggs, is still active and working, the token should expire when the scope is changed.
tutorial is good, i am learning this so i thought i should inform this issue. thanks
Thanks Niket! I've opened up an issue about this: https://github.com/knpunive...
And I'm really glad you're enjoying the tutorial :)
Cheers!
Did the tutorial, its great thanks! Created an account, added an App and obtained the secret but now
I am having problems with getting a dynamic token. My code below:
$client_secret = 'bcd815114ff04be2f4669ae599a47158';
$clientID = 'App2';
// Create a client with a base URL
$client = new GuzzleHttp\Client(['base_url' => 'http://coop.apps.knpunivers...']);
$dyntoken = $client->post('/token', [
'body' => [
'client_id' => $clientID,
'client_secret' => $client_secret,
'grant_type' => 'client_credentials',
]]);
$responseBody = $dyntoken->getBody(true);
var_dump($responseBody);die
Response:
class GuzzleHttp\Stream\Stream#27 (6) {
private $stream =>
resource(63) of type (stream)
private $size =>
NULL
private $seekable =>
bool(true)
private $readable =>
bool(true)
private $writable =>
bool(true)
private $uri =>
string(10) "php://temp"
}
Why am I getting this? Is there something wrong with my post construction?
Hey there!
Glad you're going through it! I think you're missing just one small thing. In the version of Guzzle we're using, you need to call send() after calling post(). send() is what actually gives you the response - without it, you're printing out the request. Try adding send() and see if it works.
Good luck!
Does this tutorial rely on knowing how to use the Symphony framework or is framework agnostic? Can I apply same to a say, a Laravel app?
Hey Will!
This is framework-agnostic, though we *do* use Silex to illustrate things. Fortunately, Silex will feel very similar to Laravel, and both use Symfony under-the-hood. So yes, this will work for you, and you'll probably be able to leverage some additional Laravel-specific libraries to make your life easier.
Cheers!
Hi, in the last tutorial that it is not a good practice to expose client secret when we put code on web and that subsequent tutorials explain how to over come this, but i could not find an explanation for the same, could you please tell me if i am missing anything, thanks.
Hi Akshar!
Both the "authorization code grant type" (https://knpuniversity.com/s... and the "Implicit grant type" (https://knpuniversity.com/s... are examples of strategies that allow you to authorize without exposing your application's secret key :). Which you choose depends on your requirements, but both work fine (though the authorization code is arguably a little bit more secure).
I hope that helps!
We're working on it hard this week and hoping to get it out ASAP! However, the first episode won't contain anything about OAuth - but we'll have that for episode 2!
Thanks!
Hey Rober,
Sure! The OAuth2 protocol is supported by many social networks for now, e.g. Facebook, Google, Instagram, etc. So this's still a good course to learn.
Cheers!
What about implementing OpenID Connect?