PHP OAuth Provider: Access Tokens
Here we’re performing the final step in the handshake to grant access; giving an access token. To achieve this, the consumer makes a request and includes:
- consumer key and secret
- request token and secret
- verifier token
This basically means that we know who they are, that they did send the user to us and the user went back to them.
My PHP code for this step looks something like this, with $db, $request_token and verifier already in place, and following the same provider block to check the request as was shown in the request token post:
// bin 2 hex because the binary isn't friendly
$access_token = bin2hex($this->provider->generateToken(8));
$access_token_secret = bin2hex($this->provider->generateToken(16));
// get request data
$request_sql = 'select authorised_user_id as user_id
from oauth_request_tokens
where request_token = :request_token
and verification = :verifier';
try {
$request_stmt = $db->prepare($request_sql);
$request_response = $request_stmt->execute(array(
"request_token" => $request_token,
"verifier" => $verifier
));
$request_data = $request_stmt->fetch();
if($request_data) {
// now delete this token, it shouldn't be used again
$delete_sql = 'delete from oauth_request_tokens
where request_token = :request_token';
$delete_stmt = $db->prepare($delete_sql);
$delete_stmt->execute(array('request_token' => $request_token));
} else {
error_log('request token not found');
return false;
}
} catch (PDOException $e) {
error_log('Could not retrieve/delete request token data ' . $e->getMessage());
return false;
}
// store new access token
$sql = 'insert into oauth_access_tokens set '
. 'access_token = :access_token,'
. 'access_token_secret = :access_token_secret,'
. 'consumer_key = :consumer_key, '
. 'user_id = :user_id';
try{
$stmt = $db->prepare($sql);
$stmt->execute(array(
"consumer_key" => $this->provider->consumer_key,
"access_token" => $access_token,
"access_token_secret" => $access_token_secret,
"user_id" => $request_data['user_id']));
return array('oauth_token' => $access_token,
'oauth_token_secret' => $access_token_secret);
} catch(PDOException $e) {
error_log('Could not insert access token ' . $e->getMessage());
return false;
}
The calling code checks that it gets an array in response, with the new token and secret in it. If it does, we need to return those to the OAuth consumer, and exactly as when we did the request token, we do this by simply echoing a query string:
echo "oauth_token=" . $tokens['oauth_token'] . '&oauth_token_secret=' . $tokens['oauth_token_secret'];
At this point we have shaken hands, and the consumer has an access token they can use to make “normal” calls as an authenticated user. I’ll add one final entry to this series to show the use of the tokens in association with a standard web service.
Pingback: PHPDeveloper.org: Lorna Mitchell' Blog: PHP OAuth Provider: Access Tokens
Pingback: Lorna Mitchell’ Blog: PHP OAuth Provider: Access Tokens | Scripting4You Blog
I know this is kind of an old post (the series is great by the way)
however, I’d like to point out that in the first part, you mentioned the token handler and that “right now it’s ok to just return OAUTH_OK” (in context of the first post) So i’d think that in this article you’d show use how you’ve changed your token handler to work with the access tokens, since the token handler does come into play at this point.