> Dev Tools >

Course Overview

Login to bookmark this course

OAuth2 in 8 Steps

Transform your OAuth understanding by grappling with real-world situations, dealing with token expiration and refresh tokens.

  • 5116 students
  • EN Captions
  • EN Script
  • Certificate of Completion

Your Guides

About this course

Tip

The code in this tutorial is now out-of-date, however the fundamental concepts of OAuth that we teach are still 100% valid.

OAuth2: that mystical beast that you kind of understand and occasionally wrestle to integrate with some social media site.

Time to master OAuth2... and why not do it by building a real app with farmers, chickens and real-life providers like Facebook and Google Plus. We'll show you how OAuth really works while looking at how OAuth will feel by using SDK's and other tools that give you shortcuts.

And like always, we'll go directly at the ugly details, like token expiration and having a user deny access to your application. Here's what you'll be learning:

  • 3 main OAuth grant types: client credentials, authorization code and implicit;
  • The exact flow behind getting your application authorized, exchanging an authorization code for a token, and using the token;
  • Authentication (single sign-on) using OAuth;
  • Handling expired tokens;
  • Using refresh tokens;
  • Integrating and authentication with Facebook;
  • OAuth integration with Google+;
  • What to look out for with security and how you can tighten things.

Next courses in the Dev Tools: Programming Snacks! section of the Dev Tools Track!

74 Comments

Sort By
Login or Register to join the conversation
Default user avatar Ahammad Karim 6 years ago

What about implementing OpenID Connect?

24 | Reply |

Hey Ahammad Karim!

Do you have some specific questions about OpenID Connect? It's based on OAuth, so the flow is the same that you see here. This is a nice article describing it a bit: https://auth0.com/docs/prot.... As far as I understand, the big difference is that it formalizes how you get user information: when you get your access token, you can *also* get an "ID token", which is a JSON web token (JWT) that, when decoded, contains user information. This is slightly different than what we were doing in this tutorial, where we would (A) get the access token and then (B) use it to make an API request for user information. With OpenID Connect, you get all of the information you need with step (A). I'm far from an expert on it, but this is my impression ;).

Cheers!

| Reply |
Default user avatar Anthony T. 6 years ago

Hi, great tutorial. Any update on when the rest of the vids will be up?

2 | Reply |

Aw, thanks Anthony :). We'll get everything up for you by Feb 1, with updates through the week.

Cheers!

1 | Reply |
Default user avatar Thorsten 6 years ago

How about JwtBearer?

2 | Reply |

Hey @Thorsten!

JwtBearer isn't included in the tutorial currently. We thought about it - and Brent has actually worked with it a bunch - but decided not to include it originally. But now, we may consider adding it as a blog post or a small tutorial :).

Cheers!

| Reply |
Default user avatar Thorsten Drönner weaverryan 6 years ago

That would be great. I'm currently using oauth in combination with apigility (http://apigility.org). Since th API is mostly used for inter-machine communication (iOS, Android, Web) the clients will get rsa 2048 certificates.

| Reply |

We've talked about doing a short screencast to cover JWT-Bearer and JWT tokens in general, covering the basics, as well as the different values that can be populated in the JWT header. In addition, we've discussed doing a short screencast on OpenID Connect. What other specifics would you like to see in a screencast like this?

2 | Reply |
Default user avatar Thorsten Drönner Brent Shaffer 6 years ago

Looks good to me. Maybe some scoop checking additionally.

| Reply |

Thanks Josh! We're aware and it's on our list to update. Until then, the course is still teaching all the right stuff, but the code examples using Guzzle (if you're coding along) will need to be updated.

Cheers!

1 | Reply |
Default user avatar Jim Fisher 6 years ago

No one seems to have pointed out that despite this page saying "Click the Download button on this page to get the starting point of the project," there is in fact no "Download" button anywhere on the page.

1 | Reply |

Hi there!

The "Download" button only shows up if you own the course, even for the free chapters - that's our bad (it's on our bug tracker). However, you can download the starting code directly from GitHub - it's exactly the same as the code download :) https://github.com/knpunive...

Thanks!

2 | Reply |
Rufnex avatar Rufnex 1 year ago

Any plans to upate this tutorial for Symfony 5/6?

| Reply |

Hey Rufnex!

Not currently - it's just not high enough on the priority list, sorry :/. The concepts are all still legit - but the code is definitely ANCIENT. I hope we could do it next year some time, but it depends on what other tutorials we want to make and how much watch time this one is getting. But comments like this are definitely a +1 vote for doing it :).

Cheers!

2 | Reply |

i'm doing quite well with the tutorial so far. i'm already looking forward to the further content you'll be presenting.

| Reply |
Default user avatar Axel Jeremy 4 years ago

is this tutorial help to build restful api witth auth2?

| Reply |

Hey Axel,

This course is all about OAuth2 and how to use it. If you're looking for restful API, you can take a look at other specific courses we have, see courses in this track: https://symfonycasts.com/tr... . I suppose you would need to combine knowledge of a few courses to achive what you're looking for.

Cheers!

| Reply |
Tac-Tacelosky avatar Tac-Tacelosky 5 years ago

I'm trying to allow users to register and login with Google and Facebook with a Symfony 4.2 application. I've been using FOSUserBundle, but that seems to have fallen out of favor. This tutorial is about 5 years old, is it still relevant, or can you recommend where to start for a "Best Practices" on this? https://github.com/hwi/HWIO...

Thanks!

| Reply |

Hey Michael,

First of all, this course is still relevant. But this course is a bit specific. If you want better to understand the whole process of OAuth - definitely take a look at it. But if you just want to do login/register via some social networks, you can start with HWIOAuthBundle docs or with knpuniversity/oauth2-client-bundle that is more low level but more flexible, so with it you won't need to override things if you want to do something custom in comparison with HWIOAuthBundle. But it depends on your case.

I hope this helps.

Cheers!

| Reply |
Default user avatar Hasin Hayder 6 years ago

Sweeet! Waiting for this for a long time guys!

| Reply |
Default user avatar Aliaksandr Harbunou 6 years ago

Yeah, it was a deal for me to connect authorization with Google+ and Facebook. Would be useful.

| Reply |
Default user avatar Michal Szymczak 6 years ago

Hi, do you have any estimates when this tutorial will be available?

| Reply |

We're about to start recording, so we should start releasing parts during the next 2 weeks :).

| Reply |
Default user avatar Michal Szymczak 6 years ago

At last available, excellent! Great topic selection, as always. Looking forward to it :)

| Reply |

Enjoy - cheers :)

| Reply |
Default user avatar Nazim 6 years ago

For those working on windows / xampp, the following would be helpful if you run into sqlite db creation error from the downloaded files (client\data\rebulid_db.php - line 19)

http://stackoverflow.com/qu...

I had to remove the slash '/' after the colon ':' which ended up being...

$db = new PDO(sprintf('sqlite:%s', $dbfile));

| Reply |

Hi! Are the "using refresh tokens" and "tightening up security" parts going to be available soon?

| Reply |

Hey @john! Yes, look for them as early as tomorrow actually :)

| Reply |

So you actually removed the text contents of this chapter ???

| Reply |

Not on purpose! :) Thanks for letting me know - the text for the chapter is back now!

Cheers!

| Reply |
Default user avatar RomanArkharov 6 years ago

Hello, my name is Roman.

Could you please explain me. Why do we need to request authorization code to get access token? In such way we have two steps:
* on first step we send client id to server and get authorization code from server,
* on second step we send authorization code from previous step, client id and client secret and get access token.

But in previous lesson we just requested access token by using only client id and client secret without authorization code.

| Reply |

Oh, I think I've understood. By using authorization code we can get access to any account on remote server, otherwise we can access only to own account. Am I right?

| Reply |

Hi Roman!

Yes, you're absolutely right. When we use the "client credentials" grant type, it's really limited. Our final access token only has access to do things to our application (or often, the user that created the application). When we use the authorization code to get the access token, it does 3 things:

1) It tells the server which user we want permission to "act as" (because the server keeps track of which authorization code is for which user)
2) It tells the server which scopes (i.e. permissions) the user has approved for us to have
3) It proves that the user has actually authorized us to have these privileges (since we couldn't easily guess a valid authorization code, and they have a really short lifetime).

So again, you figured it out! Hopefully these details help even more.

Cheers and thanks for the great question!

| Reply |
Default user avatar Niket Sharma 6 years ago

// src/OAuth2Demo/Client/Controllers/CoopOAuthController.php
// ...

public function redirectToAuthorization(Request $request)
{
$url = 'http://coop.apps.knpunivers...
'response_type' => 'code',
'client_id' => '?',
'redirect_uri' => '?',
'scope' => 'eggs-count profile'
));

var_dump($url);die;
}
How can i implement this http_build_query in java??

| Reply |

Hey Niket!

Unfortunately, I can't say how this is done in Java :). You could of course do it manually by building an array and then manually turning that into the correct string, but there's probably a better way.

Cheers!

| Reply |
Default user avatar Niket Sharma 6 years ago

there is a problem in the data if i use any old token it will give the same scope with was used to generate token. if i give the scope egg count only and then i generate the token it will work correctly but if i use the old token which i used to collect eggs, is still active and working, the token should expire when the scope is changed.

| Reply |

tutorial is good, i am learning this so i thought i should inform this issue. thanks

| Reply |

Thanks Niket! I've opened up an issue about this: https://github.com/knpunive...

And I'm really glad you're enjoying the tutorial :)

Cheers!

| Reply |
Default user avatar Niket Sharma weaverryan 6 years ago

thanks ryan for the tutorial, this helped me a lot.

| Reply |
Default user avatar martinc 6 years ago

Did the tutorial, its great thanks! Created an account, added an App and obtained the secret but now
I am having problems with getting a dynamic token. My code below:

$client_secret = 'bcd815114ff04be2f4669ae599a47158';
$clientID = 'App2';

// Create a client with a base URL
$client = new GuzzleHttp\Client(['base_url' => 'http://coop.apps.knpunivers...']);

$dyntoken = $client->post('/token', [
'body' => [
'client_id' => $clientID,
'client_secret' => $client_secret,
'grant_type' => 'client_credentials',
]]);

$responseBody = $dyntoken->getBody(true);
var_dump($responseBody);die

Response:
class GuzzleHttp\Stream\Stream#27 (6) {
private $stream =>
resource(63) of type (stream)
private $size =>
NULL
private $seekable =>
bool(true)
private $readable =>
bool(true)
private $writable =>
bool(true)
private $uri =>
string(10) "php://temp"
}

Why am I getting this? Is there something wrong with my post construction?

| Reply |

Hey there!

Glad you're going through it! I think you're missing just one small thing. In the version of Guzzle we're using, you need to call send() after calling post(). send() is what actually gives you the response - without it, you're printing out the request. Try adding send() and see if it works.

Good luck!

| Reply |

Does this tutorial rely on knowing how to use the Symphony framework or is framework agnostic? Can I apply same to a say, a Laravel app?

| Reply |

Hey Will!

This is framework-agnostic, though we *do* use Silex to illustrate things. Fortunately, Silex will feel very similar to Laravel, and both use Symfony under-the-hood. So yes, this will work for you, and you'll probably be able to leverage some additional Laravel-specific libraries to make your life easier.

Cheers!

1 | Reply |
Default user avatar Akshar 6 years ago

Hi, in the last tutorial that it is not a good practice to expose client secret when we put code on web and that subsequent tutorials explain how to over come this, but i could not find an explanation for the same, could you please tell me if i am missing anything, thanks.

| Reply |

Hi Akshar!

Both the "authorization code grant type" (https://knpuniversity.com/s... and the "Implicit grant type" (https://knpuniversity.com/s... are examples of strategies that allow you to authorize without exposing your application's secret key :). Which you choose depends on your requirements, but both work fine (though the authorization code is arguably a little bit more secure).

I hope that helps!

| Reply |
Default user avatar Sergio 6 years ago

Hello Guys, nice course! Does have any ETA for REST ?

| Reply |

We're working on it hard this week and hoping to get it out ASAP! However, the first episode won't contain anything about OAuth - but we'll have that for episode 2!

Thanks!

| Reply |
Default user avatar Robert 6 years ago

Hello,

Is this still good to learn ?

| Reply |

Hey Rober,

Sure! The OAuth2 protocol is supported by many social networks for now, e.g. Facebook, Google, Instagram, etc. So this's still a good course to learn.

Cheers!

| Reply |

Hey Victor

As always you're first to help :) Thanks man! :)

| Reply |

Delete comment?

Share this comment

astronaut with balloons in space

"Houston: no signs of life"
Start the conversation!