| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155 |
- <?xml version="1.0" encoding="UTF-8"?>
- <!-- Reviewed: no -->
- <sect1 id="zend.gdata.authsub">
- <title>Authenticating with AuthSub</title>
- <para>
- The AuthSub mechanism enables you to write web applications
- that acquire authenticated access Google Data services,
- without having to write code that handles user credentials.
- </para>
- <para>
- See <ulink
- url="http://code.google.com/apis/accounts/AuthForWebApps.html">http://code.google.com/apis/accounts/AuthForWebApps.html</ulink>
- for more information about Google Data AuthSub authentication.
- </para>
- <para>
- The Google documentation says the ClientLogin mechanism is appropriate
- for "installed applications" whereas the AuthSub mechanism is
- for "web applications." The difference is that AuthSub requires
- interaction from the user, and a browser interface that can react
- to redirection requests. The ClientLogin solution uses <acronym>PHP</acronym> code to
- supply the account credentials; the user is not required to enter her
- credentials interactively.
- </para>
- <para>
- The account credentials supplied via the AuthSub mechanism are
- entered by the user of the web application. Therefore they must be
- account credentials that are known to that user.
- </para>
- <note>
- <title>Registered applications</title>
- <para>
- <classname>Zend_Gdata</classname> currently does not support use of secure tokens,
- because the AuthSub authentication does not support passing a digital certificate
- to acquire a secure token.
- </para>
- </note>
- <sect2 id="zend.gdata.authsub.login">
- <title>Creating an AuthSub authenticated Http Client</title>
- <para>
- Your <acronym>PHP</acronym> application should provide a hyperlink to the
- Google <acronym>URL</acronym> that performs authentication. The static function
- <methodname>Zend_Gdata_AuthSub::getAuthSubTokenUri()</methodname>
- provides the correct <acronym>URL</acronym>. The arguments to this function include
- the <acronym>URL</acronym> to your <acronym>PHP</acronym> application so that Google can
- redirect the user's browser back to your application after the user's
- credentials have been verified.
- </para>
- <para>
- After Google's authentication server redirects the user's browser
- back to the current application, a GET request parameter is set,
- called <emphasis>token</emphasis>.
- The value of this parameter is a single-use token that can be
- used for authenticated access.
- This token can be converted into a multi-use token and stored
- in your session.
- </para>
- <para>
- Then use the token value in a call to
- <methodname>Zend_Gdata_AuthSub::getHttpClient()</methodname>.
- This function returns an instance of <classname>Zend_Http_Client</classname>,
- with appropriate headers set so that subsequent requests your
- application submits using that <acronym>HTTP</acronym> Client are also authenticated.
- </para>
- <para>
- Below is an example of <acronym>PHP</acronym> code for a web application
- to acquire authentication to use the Google Calendar service
- and create a <classname>Zend_Gdata</classname> client object using that authenticated
- <acronym>HTTP</acronym> Client.
- </para>
- <programlisting language="php"><![CDATA[
- $my_calendar = 'http://www.google.com/calendar/feeds/default/private/full';
- if (!isset($_SESSION['cal_token'])) {
- if (isset($_GET['token'])) {
- // You can convert the single-use token to a session token.
- $session_token =
- Zend_Gdata_AuthSub::getAuthSubSessionToken($_GET['token']);
- // Store the session token in our session.
- $_SESSION['cal_token'] = $session_token;
- } else {
- // Display link to generate single-use token
- $googleUri = Zend_Gdata_AuthSub::getAuthSubTokenUri(
- 'http://'. $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'],
- $my_calendar, 0, 1);
- echo "Click <a href='$googleUri'>here</a> " .
- "to authorize this application.";
- exit();
- }
- }
- // Create an authenticated HTTP Client to talk to Google.
- $client = Zend_Gdata_AuthSub::getHttpClient($_SESSION['cal_token']);
- // Create a Gdata object using the authenticated Http Client
- $cal = new Zend_Gdata_Calendar($client);
- ]]></programlisting>
- </sect2>
- <sect2 id="zend.gdata.authsub.logout">
- <title>Revoking AuthSub authentication</title>
- <para>
- To terminate the authenticated status of a given token, use the
- <methodname>Zend_Gdata_AuthSub::AuthSubRevokeToken()</methodname>
- static function. Otherwise, the token is still valid for
- some time.
- </para>
- <programlisting language="php"><![CDATA[
- // Carefully construct this value to avoid application security problems.
- $php_self = htmlentities(substr($_SERVER['PHP_SELF'],
- 0,
- strcspn($_SERVER['PHP_SELF'], "\n\r")),
- ENT_QUOTES);
- if (isset($_GET['logout'])) {
- Zend_Gdata_AuthSub::AuthSubRevokeToken($_SESSION['cal_token']);
- unset($_SESSION['cal_token']);
- header('Location: ' . $php_self);
- exit();
- }
- ]]></programlisting>
- <note>
- <title>Security notes</title>
- <para>
- The treatment of the <varname>$php_self</varname> variable in the
- example above is a general security guideline, it is not
- specific to <classname>Zend_Gdata</classname>. You should always filter content you
- output to <acronym>HTTP</acronym> headers.
- </para>
- <para>
- Regarding revoking authentication tokens, it is recommended to
- do this when the user is finished with her Google Data session.
- The possibility that someone can intercept the token and use
- it for malicious purposes is very small, but nevertheless it is
- a good practice to terminate authenticated access to any service.
- </para>
- </note>
- </sect2>
- </sect1>
|
