-
Notifications
You must be signed in to change notification settings - Fork 6
Security
As Opauth uses basic HTTP transports during callback, data integrity may be affected during transit.
Implement your Opauth callback based on example/callback.php
To ensure that a user who authenticates with Opauth is who he claims he is, Opauth included a few security features built-in to the main core library. Auth response generated by Opauth is timestamped and signed.
After auth response is received, it should be validated by calling the validate() method of Opauth:
<?php
// Assuming auth response is retrievable at $response
$Opauth = new Opauth( $config, false );
$valid = $Opauth->validate(
sha1(print_r($response['auth'], true)), // Hash (sha1) $response['auth']
$response['timestamp'], // Timestamp of auth response
$response['signature'], // Signature of auth response
$reason // Pass by reference: sets reason if validation fails
);validate() method returns boolean true if the supplied auth response is valid or false otherwise. If false is returned, failure reason is set as $reason.
Opauth validates that:
-
Auth response is generated and received within the time frame allowed. The allowed time frame is set as
security_timeoutat Opauth configuration -
Auth response's signature is valid.
Signature of auth response is generated using natively available sha1() of PHP, done through multiple iterations with serialized auth response and timestamp as input. Input is also salted for each iterations.
The number of iterations is set as security_iteration at Opauth configuration.
The salt value is set as security_salt at Opauth configuration
Questions? Ask us on Google Groups or IRC (#opauth on Freenode)
-
Home
with installation and usage instructions - List of strategies
- Opauth configuration
- Auth response
- Security in Opauth