====== OAuth ====== An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications. http://oauth.net/ Voir aussi : [[:glossaire:sso|Single Sign-On]] ===== OAuth flows ===== ==== Implicit flow ==== {{:informatique:oauth_implicit_flow.png?nolink&400|Image source https://blog.postman.com/pkce-oauth-how-to}} Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]]. * [[https://oauth.net/2/grant-types/implicit/|OAuth 2.0 Implicit Grant]] * [[https://docs.gitlab.com/ee/api/oauth2.html#implicit-grant-flow|GitLab OAuth 2.0 Implicit Grant]] Implicit flow n'est pas sécurisé car le token est passé dans l'url et peut donc être volé. Il faut donc éviter de l'utiliser ou au pire seulement pour accéder au profile de l'utilisateur identifié. * [[https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926|Why you should stop using the OAuth implicit grant!]] J'ai fait un PoC là: https://git.artefacts.coop/Cyrille37/sso-oauth-implicit-grant ==== Authorization code flow ==== {{:informatique:oauth_authorization_code_flow_.png?nolink&650|}} Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]]. ==== Authorization code flow with PKCE ==== [[https://blog.postman.com/pkce-oauth-how-to/|OAuth 2.0: Implicit Flow is Dead, Try PKCE Instead]] {{:informatique:oauth_authorization_code_flow_with_pkce.png?nolink&700|}} Diagram source from [[https://blog.postman.com/pkce-oauth-how-to|postman.com]]. ===== Providers ===== ==== Twitter ==== * Documentation: https://dev.twitter.com/oauth/overview * Developper applications settings: https://apps.twitter.com/ * OAuth urls: * App-only authentication https://api.twitter.com/oauth2/token * Request token URL https://api.twitter.com/oauth/request_token * Authorize URL https://api.twitter.com/oauth/authorize * Access token URL https://api.twitter.com/oauth/access_token * Account verify credentials https://api.twitter.com/1.1/account/verify_credentials.json =====API===== * http://oauth.net/code/ ==== PHP ==== * PHP OAuth API on phpclasses.org: [[http://www.phpclasses.org/blog/package/7700/|package]], [[http://www.phpclasses.org/package/7700-PHP-Authorize-and-access-APIs-using-OAuth.html|blog]]