Re: [OAUTH-WG] Securing APIs with OAuth 2.0

Aaron Parecki <aaron@geoloqi.com> Thu, 01 March 2012 04:20 UTC

Return-Path: <aaron@geoloqi.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFBB921F856F for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 20:20:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QmM7CP4kRrL for <oauth@ietfa.amsl.com>; Wed, 29 Feb 2012 20:20:44 -0800 (PST)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 43A1921F8568 for <oauth@ietf.org>; Wed, 29 Feb 2012 20:20:42 -0800 (PST)
Received: by ghbg16 with SMTP id g16so63014ghb.31 for <oauth@ietf.org>; Wed, 29 Feb 2012 20:20:42 -0800 (PST)
Received-SPF: pass (google.com: domain of aaron@geoloqi.com designates 10.236.72.167 as permitted sender) client-ip=10.236.72.167;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of aaron@geoloqi.com designates 10.236.72.167 as permitted sender) smtp.mail=aaron@geoloqi.com
Received: from mr.google.com ([10.236.72.167]) by 10.236.72.167 with SMTP id t27mr4537187yhd.79.1330575642751 (num_hops = 1); Wed, 29 Feb 2012 20:20:42 -0800 (PST)
Received: by 10.236.72.167 with SMTP id t27mr3551108yhd.79.1330575642618; Wed, 29 Feb 2012 20:20:42 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id b4sm1078094anb.22.2012.02.29.20.20.40 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 29 Feb 2012 20:20:41 -0800 (PST)
Received: by yenm5 with SMTP id m5so62425yen.31 for <oauth@ietf.org>; Wed, 29 Feb 2012 20:20:39 -0800 (PST)
Received-SPF: pass (google.com: domain of aaron@geoloqi.com designates 10.236.181.74 as permitted sender) client-ip=10.236.181.74;
Received: from mr.google.com ([10.236.181.74]) by 10.236.181.74 with SMTP id k50mr4671444yhm.62.1330575639969 (num_hops = 1); Wed, 29 Feb 2012 20:20:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.181.74 with SMTP id k50mr3652108yhm.62.1330575639935; Wed, 29 Feb 2012 20:20:39 -0800 (PST)
Received: by 10.146.88.11 with HTTP; Wed, 29 Feb 2012 20:20:39 -0800 (PST)
In-Reply-To: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com>
References: <B691F720-809F-4A9E-8C8E-6BF98EE68F07@appmuscle.com>
Date: Thu, 1 Mar 2012 04:20:39 +0000
Message-ID: <CAGBSGjrKTpXsLSO_cn1u__rJo55QFPhoVxZUgqCMPe9bePkd8A@mail.gmail.com>
From: Aaron Parecki <aaron@geoloqi.com>
To: Pete Clark <pete@appmuscle.com>
Content-Type: multipart/alternative; boundary=20cf305b127e5d79c404ba26c8a5
X-Gm-Message-State: ALoCoQkKQe0R97/zVev2yvfF/6sRl8+FOiUeys30NIZtGBiJTUUj8CUV0RbY/eDJKcVGDDVe2d/E
X-Mailman-Approved-At: Thu, 01 Mar 2012 05:38:18 -0800
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Securing APIs with OAuth 2.0
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2012 04:24:50 -0000

I believe this one https://github.com/quizlet/oauth2-php is the most
up-to-date PHP library, although you might check around for forks of it
since I haven't checked up on it in a month or so.

Aaron Parecki


On Wednesday, February 29, 2012, Pete Clark wrote:

> Hey all, I've joined the list because I'd like to use OAuth 2 to implement
> security for a new set of REST APIs I'm developing for a client.  I'm
> coding with PHP, but my questions are more general.  Right now, there will
> be only one web site that uses the APIs, in a server-to-server fashion, and
> currently we don't have a need for a third party application to gain access
> to user data, such that a user would need to authorize that app.  We do,
> however, want to have that ability down the road.  My question is, can I
> still use OAuth 2 in some way to implement our first phase?  From what I've
> read, it seems like the "client credentials" flow is the one I want to use
> for now.  Can someone:
>
> 1) Confirm that that's what I should use for this first phase?
> 2) Point me to an implementation of this flow (in any language) that I
> could use or port to PHP?  I've found some libraries for php but can't
> really tell, being new, if they offer the "client credentials" flow
> 3) Answer one more question.. Will using the client credentials flow now
> allow me to move to one of the user-authorizes-external-app flows down the
> road without having to reimplement or throw away the client credentials
> flow code?
>
> I apologize for all the questions, but these would really help point me in
> the right direction.. Thank you for reading!
>
> Sincerely,
> Pete
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <javascript:;>
> https://www.ietf.org/mailman/listinfo/oauth
>