CSCI 3000 -Web Programming
Cooperation between different websites can be a valuable tool (think Facebook login buttons everywhere). However, this presents a problem: How can Facebook verify who you are to a third party website without possibly revealing your sensitive credentials? They can’t just send over your username and password where a hacker may intercept it.
OAuth is a standard for authentication that doesn’t require the third party site (The “Service Provider” or SP for short) to know your password or anything about you. Instead, they have arranged a trust between themselves and the site that controls your credentials (The “Identity Provider” or IDP for short). For example, a website you use your Facebook login on never needs your Facebook username/password. They have simply arranged with Facebook where they can ask “Who is this?” and Facebook responds “This is ______, go ahead and log them in”. This works the same way when you log into websites that bring you through the UNG Single Sign-On service.
The chart above is a simple layout of the OAuth 2.0 flow but it goes something like this:
Save your time - order a paper!
Get your paper written from scratch within the tight deadline. Our service is a reliable solution to all your troubles. Place an order on any task and we will take care of it. You won’t have to worry about the quality and deadlinesOrder Paper Now
1) The user tries to access a protected resource on the SP
2) The SP redirects to the IDP
3) The IDP authenticates the user
3) The IDP generates a short-life grant token and redirects back to the SP
4) The SP submits the grant token back to the IDP
5) The IDP replies with a long-life access token 6) Now the SP can request protected information from the IDP using the access token and it will fulfill the request
Part 1 – IDP Setup
In order for the Service Provider script on your own website to be able to log in correctly, it needs to establish a trust with my Identity Provider.
Register and log in to and it will provide you with the information that you need to configure your script. You’ll need to input the address of your script for the redirect URL (Something like http://yoursite.com/A4/index.php)
You can also fill in some information here that is your “Private information” that only authenticated websites should be able to read.
Part 2 – SP Setup
Create a folder called “A4” on your server and make a new index.php file inside it. Copy this script and paste it into the new file. Complete each of the three areas of the script that are marked “TODO”. If you do it correctly, then you should be able to browse to that page and click the log in button. You’ll be directed to my website where you will be able to log in using the same account you registered before. Next, your script will perform the OAuth flow detailed above and you’ll be logged in on your own website.
The interesting thing here is that now you’ll see the “secret information” you put into my website on your own website. It is being retrieved directly from the remote server using the access token to verify who you are.
The fun part about this is that now any student in the class can also browse to your website and log in and see their own secret information. But your website never needs to ask them for their username or password. It simply asks mine, and believes they are who I saw they are. Cool eh?