I want to implement OAuth server on my PHP server, which dosent have a SSL connection. There’s no decent OAuth 2 framework for PHP-codeigniter yet. So which one should I use OAuth1 or OAuth2 ?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I want to implement OAuth server on my PHP server, which dosent have a SSL connection. There’s no decent OAuth 2 framework for PHP-codeigniter yet. So which one should I use OAuth1 or OAuth2 ?
The short answer is: you should consider using OAuth 1.0a [1] rather than OAuth 2.0
The long answer is below:
OAuth 2.0 by default requires the use of SSL/TLS for transport layer security. Therefore, when implementing an OAuth 2.0 compliant Authorization Server, you need to allow client applications to connect to the Authorization Endpoint as well as Token Endpoint over a secure channel. See the following sections in the OAuth 2.0 specification [2]:
3.1 (Authorization Endpoint)
"[…] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the authorization endpoint."
3.2 (Token Endpoint)
"[…] the authorization server MUST require the use of TLS as described in Section 1.6 when sending requests to the token endpoint."
In your case, when you do not have an SSL connection, you can still possibly consider using OAuth 2.0 and the MAC Access Authentication [3], which specifies how to make OAuth 2.0 requests by issuing MAC-type access tokens. Such tokens are cryptographically signed with a shared symmetric key (key is shared between the client application and the server).
IMPORTANT NOTE: In such setup, however, you will still need to provide a mechanism for clients to be able to establish a shared secret with your OAuth 2.0 server in a secure way (how this is done is up to you – can be over some SSL channel or out-of-band, depending on your exact use cases). This is a strict requirement to allow clients to securely access protected resources!
"The MAC scheme requires the establishment of a shared symmetric key
between the client and the server. This specification offers one
such method for issuing a set of MAC credentials to the client using
OAuth 2.0 in the form of a MAC-type access token.
The primary design goal of this mechanism is to simplify and improve
HTTP authentication for services that are unwilling or unable to
employ TLS for every request. In particular, this mechanism leverage
an initial TLS setup phase to establish a shared secret between the
client and the server. The shared secret is then used over an
insecure channel to provide protection against a passive network
attacker."
Based on the above explanation, I would consider using OAuth 1.0a [3], which does not require the use of a transport-level security for communication between the client and Authorization Server (OAuth 1.0a uses the term "Service Provider", btw). Instead, it relies on messages being signed using a shared symmetric key (or an RSA key). However. please note that unless you use signatures using HMAC-SHA1 or RSA-SHA1 (i.e. you decide to use the PlAINTEXT signature type), you will need to use SSL/TLS anyway.
[1] https://www.rfc-editor.org/rfc/rfc5849
[2] https://www.rfc-editor.org/rfc/rfc6749
[3] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-http-mac-01