Mastering OAuth 2.0 Published, by Ben Ramsey

15 May 2016

Mastering OAuth 2.0 Published

I’ve published my first article in php[architect] magazine since 2009! It’s only fitting that it’s an article on OAuth 2.0, since one of the last articles I published in their magazine was on OAuth 1.0. I’m proud and excited to finally publish a new article with them after such a long hiatus, and I hope my next article doesn’t take seven years to write.

OAuth 2.0 is the de facto standard for authenticating users with third-party websites. If you want access to a user’s data in Google or Facebook, for example, OAuth 2.0 is what you use. But, let’s face it: OAuth 2.0 is not easy, and to make matters worse, it seems everyone has a slightly different implementation, making interoperability a nightmare. Fortunately, the PHP League of Extraordinary Packages has released version 1 of the league/oauth2-client library. Aiming for simplicity and ease-of-use, league/oauth2-client provides a common interface for accessing many OAuth 2.0 providers.

It wasn’t easy for me to write this article. Call it writers’ block, procrastination, or what have you, I kept putting off writing the article over and over. I had more than a few false starts, and I tried a variety of different formats, convinced it was my workflow and process that was hindering me. In the end, I just had to write. I owe Oscar a few beers at php[tek] for putting him through that.

Mistakes Were Made

I began writing the article in August of last year. As a result of the long writing process, the Instagram client I registered for use in writing the article was registered before Instagram deprecated the /users/self/feed endpoint (thanks to an astute reader for pointing this out!). This means there are errors in the published version of the article, and I am truly sorry for this. As a technical author, it’s embarrassing—especially since it’s an error that could have been avoided.

Fortunately, there’s an easy fix for this. In Listing 2 of my article’s example code (app/Http/Controllers/HomeController.php), you’ll find the following lines of code:

$feedRequest = Instagram::getAuthenticatedRequest(
    'GET',
    'https://api.instagram.com/v1/users/self/feed',
    $instagramToken
);

This code uses the deprecated Instagram endpoint https://api.instagram.com/v1/users/self/feed. There is no replacement for this endpoint, but we can substitute it with another one: https://api.instagram.com/v1/users/self/media/recent. This new endpoint won’t return a user’s Instagram feed, but it will return their most recent uploads, which will suffice for the example application. The updated code should look like this:

$feedRequest = Instagram::getAuthenticatedRequest(
    'GET',
    'https://api.instagram.com/v1/users/self/media/recent',
    $instagramToken
);

Thanks For Reading

If you took the time to read the article, thank you so much. If you haven’t yet, go grab a copy of the May issue and read it.

Please take a moment to let me know what you think. OAuth can be explained in simple terms, but to grok it, it’s difficult to distill into concise code examples. That was my goal. I’m working the article into a talk, so I’d like to know how I can improve the content and examples.

On Twitter, I posted a thread of tweets where I mention a few things about OAuth and then list many of the php[architect] articles that have covered it. Feel free to read through this conversation and check out the other OAuth articles to increase your own understanding.

While OAuth is used practically everywhere these days, there’s still so much misunderstanding around how it works. #oauth (1/12)
— Ben Ramsey (@ramsey) May 13, 2016

Finally, my friend Matt Frost recently wrote Integrating Web Services with OAuth and PHP, also published by the good folks at php[architect]. Check it out to learn more about OAuth versions 1 and 2.