Connecting sites securely using OAuth

Client: withheld for reasons of confidentiality (Germany)

The German client company who hired this project has a website with a high component of social network and a mobile application for iPhone and Android that tracks walking, driving or biking paths and then is used to share them with other people on the former website or other external ones thanks to its export tools. This is similar to Endomondo app, but more oriented to track tourist routes and attractions that in sporting terms.

My work on this project was precisely to improve export functionality, so it was possible to securely connect my client’s site with other partner sites in order for them to integrate the tour tracking and photo sharing functions, comments, likes, etc. The idea was to distribute the tour tracking mobile application and all the functions of my client’s website as a white label for other partner sites could offer their users the full set of features under its own brand and corporate design.

This raised the challenge of users of connected sites could be registered at the same time to both sites, and also that all generated tours and activities made public were available only to users belonging to the partner’s site, and not the rest from other partners.

In addition, only authorized websites could connect to my client’s portal, and that connection should be made in the safest possible way.

To achieve this we chose the OAuth protocol, wich is widely used by big companies like Google, Facebook and Yahoo to share their users and allow them to be used by third party applications safely.

Error: Your Requested widget " ai_widget-6" is not in the widget list.

• [do_widget_area above-nav-left]
• [do_widget_area above-nav-right]
• [do_widget_area footer-1]
  • [do_widget id="wpp-4"]
• [do_widget_area footer-2]
  • [do_widget id="recent-posts-4"]
• [do_widget_area footer-3]
  • [do_widget id="recent-comments-3"]
• [do_widget_area footer-4]
  • [do_widget id="archives-4"]
• [do_widget_area logo-bar]
  • [do_widget id="oxywidgetwpml-3"]
• [do_widget_area menu-bar]
  • [do_widget id="search-3"]
• [do_widget_area sidebar]
  • [do_widget id="search-4"]
  • [do_widget id="ai_widget-2"]
  • [do_widget id="categories-5"]
  • [do_widget id="ai_widget-3"]
  • [do_widget id="ai_widget-4"]
  • [do_widget id="ai_widget-5"]
• [do_widget_area sub-footer-1]
  • [do_widget id="text-4"]
• [do_widget_area sub-footer-2]
• [do_widget_area sub-footer-3]
• [do_widget_area sub-footer-4]
• [do_widget_area upper-footer-1]
  • [do_widget id="search-2"]
  • [do_widget id="recent-posts-2"]
  • [do_widget id="recent-comments-2"]
  • [do_widget id="archives-2"]
  • [do_widget id="categories-2"]
  • [do_widget id="meta-2"]
• [do_widget_area upper-footer-2]
• [do_widget_area upper-footer-3]
• [do_widget_area upper-footer-4]
• [do_widget_area widgets_for_shortcodes]
  • [do_widget id="search-5"]
  • [do_widget id="ai_widget-6"]
• [do_widget_area wp_inactive_widgets]
  • [do_widget id="wpp-2"]
  • [do_widget id="text-1"]
  • [do_widget id="recent-posts-3"]
  • [do_widget id="categories-3"]
  • [do_widget id="archives-3"]
  • [do_widget id="icl_lang_sel_widget-3"]

In our specific case, OAuth not only allowed my client users to connect to other websites and viceversa, but also perform authentication between sites to prevent unauthorized use of my client’s services.

OAuth background

OAuth is a standard protocol that can be implemented in multiple programming languages. PHP is the programming language used on my client’s server side, but it doesn’t mean that different consumers based on different programming languages could not connect to my client’s website and get user Tours. There is at least one library available for each one of the major programming languages, including Perl, Java, C#, Python, Ruby, etc. For a complete list of these available libraries, please check https://oauth.net/code/.

Every OAuth protocol exchange requires two involved parties: one OAuth server wich stores the protected resources being shared (provider), and one OAuth client (consumer) wich requests access to protected resources shared by the provider on user’s behalf. Both parties must be initially connected in order to users on partner’s site can access to protected resources (Tour Books and Tour Book Archives) with no need for them to log in into my client’s server each time they do on partner’s site.

Result

The end result of this project was a modified and optimized OAuth library in PHP for the specific scenario raised by my client, which allowed connecting a generic site developed in PHP with my client’s server, also in PHP. For testing purposes, the phpFox application was used. It is also a social network engine similar but not the same as my client, so we could make the connection between them using OAuth securely and perfectly integrate users on both sides.

Below I show you some screenshots of the result, but omit any sensitive data due to confidentiality agreement I have with my client. Please note that the blue parts belong to phpFox site that connects (OAuth consumer), and parts in green belong to information from my client’s server (OAuth provider).