1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
<?xml version="1.0" encoding="UTF-8"?>
<!-- Reviewed: no -->
<sect1 id="zend.gdata.authsub">
<title>Authenticating with AuthSub</title>
<para>
The AuthSub mechanism enables you to write web applications
that acquire authenticated access Google Data services,
without having to write code that handles user credentials.
</para>
<para>
See <ulink
url="http://code.google.com/apis/accounts/AuthForWebApps.html">http://code.google.com/apis/accounts/AuthForWebApps.html</ulink>
for more information about Google Data AuthSub authentication.
</para>
<para>
The Google documentation says the ClientLogin mechanism is appropriate
for "installed applications" whereas the AuthSub mechanism is
for "web applications." The difference is that AuthSub requires
interaction from the user, and a browser interface that can react
to redirection requests. The ClientLogin solution uses <acronym>PHP</acronym> code to
supply the account credentials; the user is not required to enter her
credentials interactively.
</para>
<para>
The account credentials supplied via the AuthSub mechanism are
entered by the user of the web application. Therefore they must be
account credentials that are known to that user.
</para>
<note>
<title>Registered applications</title>
<para>
<classname>Zend_Gdata</classname> currently does not support use of secure tokens,
because the AuthSub authentication does not support passing a digital certificate
to acquire a secure token.
</para>
</note>
<sect2 id="zend.gdata.authsub.login">
<title>Creating an AuthSub authenticated Http Client</title>
<para>
Your <acronym>PHP</acronym> application should provide a hyperlink to the
Google <acronym>URL</acronym> that performs authentication. The static function
<methodname>Zend_Gdata_AuthSub::getAuthSubTokenUri()</methodname>
provides the correct <acronym>URL</acronym>. The arguments to this function include
the <acronym>URL</acronym> to your <acronym>PHP</acronym> application so that Google can
redirect the user's browser back to your application after the user's
credentials have been verified.
</para>
<para>
After Google's authentication server redirects the user's browser
back to the current application, a <constant>GET</constant> request parameter is set,
called <emphasis>token</emphasis>. The value of this parameter is a single-use token
that can be used for authenticated access. This token can be converted into a multi-use
token and stored in your session.
</para>
<para>
Then use the token value in a call to
<methodname>Zend_Gdata_AuthSub::getHttpClient()</methodname>.
This function returns an instance of <classname>Zend_Http_Client</classname>,
with appropriate headers set so that subsequent requests your
application submits using that <acronym>HTTP</acronym> Client are also authenticated.
</para>
<para>
Below is an example of <acronym>PHP</acronym> code for a web application
to acquire authentication to use the Google Calendar service
and create a <classname>Zend_Gdata</classname> client object using that authenticated
<acronym>HTTP</acronym> Client.
</para>
<programlisting language="php"><![CDATA[
$my_calendar = 'http://www.google.com/calendar/feeds/default/private/full';
if (!isset($_SESSION['cal_token'])) {
if (isset($_GET['token'])) {
// You can convert the single-use token to a session token.
$session_token =
Zend_Gdata_AuthSub::getAuthSubSessionToken($_GET['token']);
// Store the session token in our session.
$_SESSION['cal_token'] = $session_token;
} else {
// Display link to generate single-use token
$googleUri = Zend_Gdata_AuthSub::getAuthSubTokenUri(
'http://'. $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'],
$my_calendar, 0, 1);
echo "Click <a href='$googleUri'>here</a> " .
"to authorize this application.";
exit();
}
}
// Create an authenticated HTTP Client to talk to Google.
$client = Zend_Gdata_AuthSub::getHttpClient($_SESSION['cal_token']);
// Create a Gdata object using the authenticated Http Client
$cal = new Zend_Gdata_Calendar($client);
]]></programlisting>
</sect2>
<sect2 id="zend.gdata.authsub.logout">
<title>Revoking AuthSub authentication</title>
<para>
To terminate the authenticated status of a given token, use the
<methodname>Zend_Gdata_AuthSub::AuthSubRevokeToken()</methodname>
static function. Otherwise, the token is still valid for
some time.
</para>
<programlisting language="php"><![CDATA[
// Carefully construct this value to avoid application security problems.
$php_self = htmlentities(substr($_SERVER['PHP_SELF'],
0,
strcspn($_SERVER['PHP_SELF'], "\n\r")),
ENT_QUOTES);
if (isset($_GET['logout'])) {
Zend_Gdata_AuthSub::AuthSubRevokeToken($_SESSION['cal_token']);
unset($_SESSION['cal_token']);
header('Location: ' . $php_self);
exit();
}
]]></programlisting>
<note>
<title>Security notes</title>
<para>
The treatment of the <varname>$php_self</varname> variable in the
example above is a general security guideline, it is not
specific to <classname>Zend_Gdata</classname>. You should always filter content you
output to <acronym>HTTP</acronym> headers.
</para>
<para>
Regarding revoking authentication tokens, it is recommended to
do this when the user is finished with her Google Data session.
The possibility that someone can intercept the token and use
it for malicious purposes is very small, but nevertheless it is
a good practice to terminate authenticated access to any service.
</para>
</note>
</sect2>
</sect1>
|
