A Quick Intro To OAuth
Since we are going to be using three classes to handle all the OAuth requests for us I would like to explain what will be going on in the background before we begin. I will refer to twitter’s API as the API but know that this applies to all others that use OAuth.
The way OAuth works is the like this
- your script sends a url to an API
- the API sends a token (oauth_token) back to us,
- we use this token to make a url that will take the user to a verification page
- after granting us access we can request a secret token or access token (oauth_token_secret)
- now we can use this secret token to make calls to the API
Step 1: The set up
Make three files “keys.php” , “sign-in.php” and “profile-page.php”m
The firs file will be used to store you twitter app keys. We will then make a login form with a twitter sign in button and process the response with “profile-page.php”.
Step 2: Register you twitter application.
Go to this link to register you app Twitter OAuth, your callback URL must be the URL to your “profile-page.php” file.
In your “keys.php” file make two variables, one for your “consumer key” and for your “consumer secret” .
$consumerKey='xxxxxxxxxx'; $consumerSecret='xxxxxxxxxxxxxxxxxxxxxxx';
Step 3: Some files you need
We’ll be using three classes developed by @jmathai
Download the files “EpiCurl.php”, “EpiOAuth.php” and “EpiTwitter.php” from this link EpiFramework and put them in the same folder as the 3 files in step 1.
Step 4 : Get a “Sign in with Twitter” button
Go to this page (sign in with twitter buttons) , scroll all the way down, and download your favorite button image.
Step 5: The sign in page
This is where we request the first token (oauth_token) and use it to make a link to to twitter’s verification page.
Open your “sign-in.php” file and include the three Epi classes and keys file.
We will also make an object for EpiTwitter, the constructor for this class takes two paramaters, you cosumerkey and cosumer secret from step 2.
EpiTwitter has a function called “getAuthenticateUrl()” , this function returns a URL which we’ll use to make a link ( sign in button) to the twitter authentication page.
Contents of “sign-in.php”
<?php include 'EpiCurl.php'; include 'EpiOAuth.php'; include 'EpiTwitter.php'; include 'keys.php'; $Twitter = new EpiTwitter($consumerKey, $consumerSecret); echo '<a href="' . $Twitter->getAuthenticateUrl() . '"> <img src="twitterButton.png" alt="sign in with twitter" /> </a>'; ?>
Step 6: User is Now on Twitter’s Verification Page.
If your users allow your app they will be redirected to your call back URL with an “oauth_token” variable in the url, http://www.yourdomain.com/profile-page.php?oauth_token=xxxxxxxxxxxxxx for example.
If they deny access twitter will show them the following message:
“OK, you’ve denied YourAppName access to interact with your account!”
YourAppName will be a link to your call back url with a “denied” variable in the url. Something like this
http://www.yourdomain.com/profile-page.php?denied=xxxxxxxxxxxxxxx
Step 7: The Profile Page
This is where we will retrieve the user’s info from twitter’s api.
Begin by making an object of the class EpiTwitter.
// include Epi require_once 'classes/php/oauth/keys.php'; require_once 'classes/php/oauth/EpiCurl.php'; require_once 'classes/php/oauth/EpiOAuth.php'; require_once 'classes/php/oauth/EpiTwitter.php'; $Twitter = new EpiTwitter($consumerKey, $consumerSecret);
We should also check to see if the user allowed or denied access by checking if the “oauth_token” variable is set in our url (Cookie variables explained after the snippet)
// previous code here if(isset($_GET['oauth_token']) || (isset($_COOKIE['oauth_token']) && isset($_COOKIE['oauth_token_secret']))) { // user has signed in } elseif(isset($_GET['denied']) { // user denied access echo 'You must sign in through twitter first'; } else { // user not logged in echo 'You are not logged in'; }
Before we get a user’s info, we need an access token, to get this token we use a function called getAccessToken(). The function getAccessToken() returns two variables, oauth_token and oauth_token_secret, we are going to store these two variables in two different cookies, that is why I also checked for these cookies in the previous code.
If the user has already signed in when they get to this page then there is no need to request another token, that means there is no need to call getAccessToken() if we already obtained the secret token and stored it in a cookie. Put the following code where it said “// user has signed in” up above.
// user has signed in if( !isset($_COOKIE['oauth_token']) || !isset($_COOKIE['oauth_token_secret']) ) { // user comes from twitter // send token to twitter $Twitter->setToken($_GET['oauth_token']); // get secret token $token = $Twitter->getAccessToken(); // make the cookies for tokens setcookie('oauth_token', $token->oauth_token); setcookie('oauth_token_secret', $token->oauth_token_secret); // pass tokens to EpiTwitter object $Twitter->setToken($token->oauth_token, $token->oauth_token_secret); } else { // user switched pages and came back or got here directly, stilled logged in // pass tokens to EpiTwitter object $Twitter->setToken($_COOKIE['oauth_token'],$_COOKIE['oauth_token_secret']); }
Finally we can use the object $Twitter to get the user’s profile info. And this is what it looks like.
$user= $Twitter->get_accountVerify_credentials();
The variable $user is actually an object of SimpleXml containing this response.
Now let’s display some info.
// show screen name (not real name) echo $user->screen_name} // show profile image url echo $user->profile_image_url // show last tweet echo $user->status->text;
full contents of profile-page.php
<?php // include Epi require_once 'classes/php/oauth/keys.php'; require_once 'classes/php/oauth/EpiCurl.php'; require_once 'classes/php/oauth/EpiOAuth.php'; require_once 'classes/php/oauth/EpiTwitter.php'; $Twitter = new EpiTwitter($consumerKey, $consumerSecret); if(isset($_GET['oauth_token']) || (isset($_COOKIE['oauth_token']) && isset($_COOKIE['oauth_token_secret']))) { // user accepted access if( !isset($_COOKIE['oauth_token']) || !isset($_COOKIE['oauth_token_secret']) ) { // user comes from twitter $Twitter->setToken($_GET['oauth_token']); $token = $Twitter->getAccessToken(); setcookie('oauth_token', $token->oauth_token); setcookie('oauth_token_secret', $token->oauth_token_secret); $Twitter->setToken($token->oauth_token, $token->oauth_token_secret); } else { // user switched pages and came back or got here directly, stilled logged in $Twitter->setToken($_COOKIE['oauth_token'],$_COOKIE['oauth_token_secret']); } $user= $Twitter->get_accountVerify_credentials(); echo " <p> Username: <br /> <strong>{$user->screen_name}</strong><br /> Profile Image:<br/> <img src=\"{$user->profile_image_url}\"><br /> Last Tweet: <br /> <strong>{$user->status->text}</strong><br/> </p>"; } elseif(isset($_GET['denied'])) { // user denied access echo 'You must sign in through twitter first'; } else { // user not logged in echo 'You are not logged in'; }
To log a user out, make a log-out.php for example, and expire the cookies.
setcookie("oauth_token", '', time()-100); setcookie("oauth_token_secret", '', time()-100);
Epi does not currently support twitter sign out even though twitter’s API does, but the user will be signed out of twitter when they close the browser’s window. I will show you how to update statuses and other neat stuff in part of two of this tutorial.