Flag of Ukraine
SymfonyCasts stands united with the people of Ukraine

OAuth2 in 8 Steps

1:33:17

What you'll be learning

Tip

The code in this tutorial is now out-of-date, however the fundamental concepts of OAuth that we teach are still 100% valid.

OAuth2: that mystical beast that you kind of understand and occasionally wrestle to integrate with some social media site.

Time to master OAuth2... and why not do it by building a real app with farmers, chickens and real-life providers like Facebook and Google Plus. We'll show you how OAuth really works while looking at how OAuth will feel by using SDK's and other tools that give you shortcuts.

And like always, we'll go directly at the ugly details, like token expiration and having a user deny access to your application. Here's what you'll be learning:

  • 3 main OAuth grant types: client credentials, authorization code and implicit;
  • The exact flow behind getting your application authorized, exchanging an authorization code for a token, and using the token;
  • Authentication (single sign-on) using OAuth;
  • Handling expired tokens;
  • Using refresh tokens;
  • Integrating and authentication with Facebook;
  • OAuth integration with Google+;
  • What to look out for with security and how you can tighten things.

Your Guides

Brent Shaffer Ryan Weaver Leanna Pelham

Buy Access

Join the Conversation?

71
Login or Register to join the conversation
Default user avatar
Default user avatar Ahammad Karim | posted 4 years ago

What about implementing OpenID Connect?

24 Reply

Hey Ahammad Karim!

Do you have some specific questions about OpenID Connect? It's based on OAuth, so the flow is the same that you see here. This is a nice article describing it a bit: https://auth0.com/docs/prot.... As far as I understand, the big difference is that it formalizes how you get user information: when you get your access token, you can *also* get an "ID token", which is a JSON web token (JWT) that, when decoded, contains user information. This is slightly different than what we were doing in this tutorial, where we would (A) get the access token and then (B) use it to make an API request for user information. With OpenID Connect, you get all of the information you need with step (A). I'm far from an expert on it, but this is my impression ;).

Cheers!

Reply
Default user avatar
Default user avatar Anthony T. | posted 4 years ago

Hi, great tutorial. Any update on when the rest of the vids will be up?

2 Reply

Aw, thanks Anthony :). We'll get everything up for you by Feb 1, with updates through the week.

Cheers!

1 Reply
Default user avatar
Default user avatar Thorsten | posted 4 years ago

How about JwtBearer?

2 Reply

Hey @Thorsten!

JwtBearer isn't included in the tutorial currently. We thought about it - and Brent has actually worked with it a bunch - but decided not to include it originally. But now, we may consider adding it as a blog post or a small tutorial :).

Cheers!

Reply
Default user avatar
Default user avatar Thorsten Drönner | weaverryan | posted 4 years ago

That would be great. I'm currently using oauth in combination with apigility (http://apigility.org). Since th API is mostly used for inter-machine communication (iOS, Android, Web) the clients will get rsa 2048 certificates.

Reply
Default user avatar

We've talked about doing a short screencast to cover JWT-Bearer and JWT tokens in general, covering the basics, as well as the different values that can be populated in the JWT header. In addition, we've discussed doing a short screencast on OpenID Connect. What other specifics would you like to see in a screencast like this?

2 Reply
Default user avatar
Default user avatar Thorsten Drönner | Brent Shaffer | posted 4 years ago

Looks good to me. Maybe some scoop checking additionally.

Reply

Thanks Josh! We're aware and it's on our list to update. Until then, the course is still teaching all the right stuff, but the code examples using Guzzle (if you're coding along) will need to be updated.

Cheers!

1 Reply
Default user avatar
Default user avatar Jim Fisher | posted 4 years ago

No one seems to have pointed out that despite this page saying "Click the Download button on this page to get the starting point of the project," there is in fact no "Download" button anywhere on the page.

1 Reply

Hi there!

The "Download" button only shows up if you own the course, even for the free chapters - that's our bad (it's on our bug tracker). However, you can download the starting code directly from GitHub - it's exactly the same as the code download :) https://github.com/knpunive...

Thanks!

2 Reply
Default user avatar
Default user avatar Axel Jeremy | posted 2 years ago

is this tutorial help to build restful api witth auth2?

Reply

Hey Axel,

This course is all about OAuth2 and how to use it. If you're looking for restful API, you can take a look at other specific courses we have, see courses in this track: https://symfonycasts.com/tr... . I suppose you would need to combine knowledge of a few courses to achive what you're looking for.

Cheers!

Reply
Tac-Tacelosky Avatar
Tac-Tacelosky Avatar Tac-Tacelosky | posted 3 years ago

I'm trying to allow users to register and login with Google and Facebook with a Symfony 4.2 application. I've been using FOSUserBundle, but that seems to have fallen out of favor. This tutorial is about 5 years old, is it still relevant, or can you recommend where to start for a "Best Practices" on this? https://github.com/hwi/HWIO...

Thanks!

Reply

Hey Michael,

First of all, this course is still relevant. But this course is a bit specific. If you want better to understand the whole process of OAuth - definitely take a look at it. But if you just want to do login/register via some social networks, you can start with HWIOAuthBundle docs or with knpuniversity/oauth2-client-bundle that is more low level but more flexible, so with it you won't need to override things if you want to do something custom in comparison with HWIOAuthBundle. But it depends on your case.

I hope this helps.

Cheers!

Reply
Default user avatar
Default user avatar Hasin Hayder | posted 4 years ago

Sweeet! Waiting for this for a long time guys!

Reply
Default user avatar
Default user avatar Aliaksandr Harbunou | posted 4 years ago

Yeah, it was a deal for me to connect authorization with Google+ and Facebook. Would be useful.

Reply
Default user avatar
Default user avatar Michal Szymczak | posted 4 years ago

Hi, do you have any estimates when this tutorial will be available?

Reply

We're about to start recording, so we should start releasing parts during the next 2 weeks :).

Reply
Default user avatar
Default user avatar Michal Szymczak | posted 4 years ago

At last available, excellent! Great topic selection, as always. Looking forward to it :)

Reply
Default user avatar

For those working on windows / xampp, the following would be helpful if you run into sqlite db creation error from the downloaded files (client\data\rebulid_db.php - line 19)

http://stackoverflow.com/qu...

I had to remove the slash '/' after the colon ':' which ended up being...

$db = new PDO(sprintf('sqlite:%s', $dbfile));

Reply
Default user avatar

Hi! Are the "using refresh tokens" and "tightening up security" parts going to be available soon?

Reply

Hey @john! Yes, look for them as early as tomorrow actually :)

Reply
Default user avatar

So you actually removed the text contents of this chapter ???

Reply

Not on purpose! :) Thanks for letting me know - the text for the chapter is back now!

Cheers!

Reply
Default user avatar
Default user avatar RomanArkharov | posted 4 years ago

Hello, my name is Roman.

Could you please explain me. Why do we need to request authorization code to get access token? In such way we have two steps:
* on first step we send client id to server and get authorization code from server,
* on second step we send authorization code from previous step, client id and client secret and get access token.

But in previous lesson we just requested access token by using only client id and client secret without authorization code.

Reply
Default user avatar

Oh, I think I've understood. By using authorization code we can get access to any account on remote server, otherwise we can access only to own account. Am I right?

Reply

Hi Roman!

Yes, you're absolutely right. When we use the "client credentials" grant type, it's really limited. Our final access token only has access to do things to our application (or often, the user that created the application). When we use the authorization code to get the access token, it does 3 things:

1) It tells the server which user we want permission to "act as" (because the server keeps track of which authorization code is for which user)
2) It tells the server which scopes (i.e. permissions) the user has approved for us to have
3) It proves that the user has actually authorized us to have these privileges (since we couldn't easily guess a valid authorization code, and they have a really short lifetime).

So again, you figured it out! Hopefully these details help even more.

Cheers and thanks for the great question!

Reply
Default user avatar
Default user avatar Niket Sharma | posted 4 years ago

// src/OAuth2Demo/Client/Controllers/CoopOAuthController.php
// ...

public function redirectToAuthorization(Request $request)
{
$url = 'http://coop.apps.knpunivers...
'response_type' => 'code',
'client_id' => '?',
'redirect_uri' => '?',
'scope' => 'eggs-count profile'
));

var_dump($url);die;
}
How can i implement this http_build_query in java??

Reply

Hey Niket!

Unfortunately, I can't say how this is done in Java :). You could of course do it manually by building an array and then manually turning that into the correct string, but there's probably a better way.

Cheers!

Reply
Default user avatar
Default user avatar Niket Sharma | posted 4 years ago

there is a problem in the data if i use any old token it will give the same scope with was used to generate token. if i give the scope egg count only and then i generate the token it will work correctly but if i use the old token which i used to collect eggs, is still active and working, the token should expire when the scope is changed.

Reply
Default user avatar

tutorial is good, i am learning this so i thought i should inform this issue. thanks

Reply

Thanks Niket! I've opened up an issue about this: https://github.com/knpunive...

And I'm really glad you're enjoying the tutorial :)

Cheers!

Reply
Default user avatar

thanks ryan for the tutorial, this helped me a lot.

Reply
Default user avatar
Default user avatar martinc | posted 4 years ago

Did the tutorial, its great thanks! Created an account, added an App and obtained the secret but now
I am having problems with getting a dynamic token. My code below:

$client_secret = 'bcd815114ff04be2f4669ae599a47158';
$clientID = 'App2';

// Create a client with a base URL
$client = new GuzzleHttp\Client(['base_url' => 'http://coop.apps.knpunivers...']);

$dyntoken = $client->post('/token', [
'body' => [
'client_id' => $clientID,
'client_secret' => $client_secret,
'grant_type' => 'client_credentials',
]]);

$responseBody = $dyntoken->getBody(true);
var_dump($responseBody);die

Response:
class GuzzleHttp\Stream\Stream#27 (6) {
private $stream =>
resource(63) of type (stream)
private $size =>
NULL
private $seekable =>
bool(true)
private $readable =>
bool(true)
private $writable =>
bool(true)
private $uri =>
string(10) "php://temp"
}

Why am I getting this? Is there something wrong with my post construction?

Reply

Hey there!

Glad you're going through it! I think you're missing just one small thing. In the version of Guzzle we're using, you need to call send() after calling post(). send() is what actually gives you the response - without it, you're printing out the request. Try adding send() and see if it works.

Good luck!

Reply
Default user avatar

Does this tutorial rely on knowing how to use the Symphony framework or is framework agnostic? Can I apply same to a say, a Laravel app?

Reply

Hey Will!

This is framework-agnostic, though we *do* use Silex to illustrate things. Fortunately, Silex will feel very similar to Laravel, and both use Symfony under-the-hood. So yes, this will work for you, and you'll probably be able to leverage some additional Laravel-specific libraries to make your life easier.

Cheers!

1 Reply
Default user avatar

Hi, in the last tutorial that it is not a good practice to expose client secret when we put code on web and that subsequent tutorials explain how to over come this, but i could not find an explanation for the same, could you please tell me if i am missing anything, thanks.

Reply

Hi Akshar!

Both the "authorization code grant type" (https://knpuniversity.com/s... and the "Implicit grant type" (https://knpuniversity.com/s... are examples of strategies that allow you to authorize without exposing your application's secret key :). Which you choose depends on your requirements, but both work fine (though the authorization code is arguably a little bit more secure).

I hope that helps!

Reply
Default user avatar

Hello Guys, nice course! Does have any ETA for REST ?

Reply

We're working on it hard this week and hoping to get it out ASAP! However, the first episode won't contain anything about OAuth - but we'll have that for episode 2!

Thanks!

Reply
Default user avatar

Hello,

Is this still good to learn ?

Reply

Hey Rober,

Sure! The OAuth2 protocol is supported by many social networks for now, e.g. Facebook, Google, Instagram, etc. So this's still a good course to learn.

Cheers!

Reply
Default user avatar

Hey Victor

As always you're first to help :) Thanks man! :)

Reply

You're welcome! This's a good choice for your project ;)

Reply
Default user avatar

Does this course come with any certification at the end?

Reply

Hi Gary!

There is no certification (at this time) at the end of the course. You will know a ton about OAuth, but there's no official certification that we offer.

Cheers!

Reply
Cat in space

"Houston: no signs of life"
Start the conversation!