OAUTH AUTHORIZATION SERVER

-

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

This instructional exercise we will make an application which might login with FACEBOOK account. What's more, we will get the secured data by the Facebook.

So let’s get started ! The following diagram shows all the steps associated in this flow.

Here the steps are;
  1. The application requests authorization to access service resources from the user.
  2. If the user authorized the request, the application receives an authorization grant.
  3.  The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant.
  4.  If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete. 
  5. The application requests the resource from the resource server (API) and presents the access token for authentication 
  6. If the access token is valid, the resource server (API) serves the resource to the application

Let's get started

All we need to do first is register the Client app.

Login into the developers.facebook.com with your Facebook qualifications.



Next tap on the instrument in the menu bar and select Graph API Explorer and you get the screen as this. This is to allow authorization for the application. By this we can confine the entrance of the data by the Application.



At that point select the authorization you need to consider the made application. For my Application I have chosen just email,Profile photograph, Id and Name have the default consent to be gotten to.


If the permission is not guaranteed and you try to get the information, this error message will pop up. 

How to code.

Here we need to create mainly four pages. config.php, login.php, fbcallback.php, index.php. Let's see briefly. 

1. Configuration page.(config.php)

To recover information from Facebook we have to pass a few data that should be checked in the Facebook server.

So in the config.php record we require the pass the app_id , app_secret and the default_graph_version to the Facebook OAuth server to get checked. The app_id , app_secret values are we got while we making the App in the above situation. So input the app_id , app_secret as indicated by your App.


2. Authorization gaining (login.php)

The login page is say as the included picture above. When we continue with Login with Facebook catch, Facebook will concerning the consent from the proprietor to permit access for the App, at that point will send ask for enemy get to token by including the endpoint url(redirectURL) and consent type(email) to the approval server and subsequent to getting the token it will send the increased token to the asset server(App server) which will return back the information.The asset server is the OAuth 2.0 term for your API server. The asset server handles verified demands after the application has acquired an entrance token.

Above redirectURL ought to be a flat out esteem. Along these lines, as indicated by your task server area give the outright url to fbcallback.php

At that point we are calling $loginUrl in the Login with Facebook catch occasion for approval from the client.


3. Gathering Information (fbcallback.php)

After login with Facebook. Facebook will provoke User Consent Page, where we have to acknowledge the solicitations which are asked by the App. Prior while we making the App we characterized what are the tokens ought to be taken from Facebook according to ask for here we can watch the application requests name,profile picture and email address.


Here we are sending the get demand to the asset server of Facebook with the entrance token. Consequently asset server restores a variety of information to the application server if the consents are right.


4. Displaying the retrieved information (index.php)

In the wake of getting all the data from the Facebook server we are putting away them in a table in the appreciated page of the App.



Finally the information retrieved will be display.

We done from here the OAuth authentication.

Source code:- GitHub

Comments

Post a Comment

Popular posts from this blog

Disaster Recovery & Business Continuity

-
Image
Business Continuity & Disaster Recovery Fact 1 in 4 businesses never re-open their doors after a disaster. 90% of businesses fail within 2 years after being struck by a disaster. Information Systems are vulnerable to a variety of disruptions. Mild : Temporary power outages, disk failures etc. Severe : Equipment destruction, fire, natural disasters etc.  Organizations must have the ability to withstand hazards and achieve business objectives through both gradual & sudden changes.  Focus is on ‘Availability’ component of the famous C.I.A We achieve this through ‘Disaster Recovery Planning’ & ‘Business Continuity Planning’.  Disaster Recovery Planning (DRP)   The process of rebuilding your operations or infrastructure after the disaster has passed.  Business Continuity Planning (BCP)  The activities required to keep your organization running during a period of displacement or interruption of normal operations.    Why a B
Read more

Cyber Security Trends

-
Image
Cyber Security Trends As we remain on the edge of one more year, the war for our cybersecurity seethes on. There have been numerous information breaks in 2017, most strikingly for Equifax, Verizon, and Kmart. In any case, on the off chance that you look for a silver coating in the cloud, maybe you'll be happy of the news that the worldwide normal cost of an information rupture is down 10 percent over earlier years to $3.62 million, as indicated by the Ponemon Institute.  Tragically, the normal size of an information break expanded about two percent. Unmistakably there's still a lot of work to do. Here are a portion of the patterns, difficulties and dangers that anticipate all of us in 2018.  1. Prepared for the General Data Protection Regulation (GDPR)?  In the event that your arrangements for the European Union's new GDPR, clarifying how organizations should process, store, and secure the individual information of EU subjects are not finished, o
Read more

Implementing Cross-site Request Forgery protection in web applications via Synchronizer Token Patterns is tested.

-
Image
Cross Site Request Forgery (CSRF) Cross-site scripting forgery or CSRF is an attack that forces an end client to execute undesirable activity on a web application in which they are presently verified. This is likewise called as a single tick attack or session riding attack. In the event that the casualty is a normal client the attacker can get restricted access to the framework. Yet, in the event that the casualty is an administrator CSRF can trade off the whole web application. There are two ways to secure the CSRF attack: Synchronizer Token, Double submit Cookies. How to mitigate CSRF Try not to open any messages, peruse to different destinations or play out some other informal organization correspondence while validated to your managing an account site or any site that performs budgetary exchanges. This will keep any noxious contents from being executed while being confirmed to a money related site. At whatever point you complete a saving money or budgetary exchange on a site
Read more