PHP OAuth Provider: Access Tokens

I've been working with OAuth, as a provider and consumer, and there isn't a lot of documentation around it for PHP at the moment so I thought I'd share my experience in this series of articles. This relates to the stable OAuth 1.0a spec, however OAuth2 has already started to be adopted (and differs greatly). This article uses the pecl_oauth extension and builds on Rasmus' OAuth Provider post. This entry follows on from the ones about the initial requirements, how to how to handle request tokens, and authenticating users.

Here we're performing the final step in the handshake to grant access; giving an access token. To achieve this, the consumer makes a request and includes:

• consumer key and secret
• request token and secret
• verifier token

This basically means that we know who they are, that they did send the user to us and the user went back to them.

My PHP code for this step looks something like this, with $db, $request_token and verifier already in place, and following the same provider block to check the request as was shown in the request token post:

// bin 2 hex because the binary isn't friendly $access_token = bin2hex($this-provider-generateToken(8)); $access_token_secret = bin2hex($this-provider-generateToken(16)); // get request data $request_sql = 'select authorised_user_id as user_id from oauth_request_tokens where request_token = :request_token and verification = :verifier'; try { $request_stmt = $db-prepare($request_sql); $request_response = $request_stmt-execute(array("request_token" = $request_token, "verifier" = $verifier)); $request_data = $request_stmt-fetch(); if($request_data) { // now delete this token, it shouldn't be used again $delete_sql = 'delete from oauth_request_tokens where request_token = :request_token'; $delete_stmt

Truncated by Planet PHP, read more at the original (another 6372 bytes)

• Read the original article at Planet PHP