I'm working with an OAuth 1.0 API that requires we use an API KEY/PAIR. Also, it gives me 3 urls:<ul><li>Request token endpoint: /oauth/request_token</li> <li>Authorization endpoint: /oauth/authorize</li> <li>Access token endpoint: /oauth/access_token</li> </ul>
Here is what the documentation states:<hr />
We use the most current specification of OAuth 1.0 protocol (RFC 5849) to authenticate our API requests. We use OAuth 1.0 because it is an open standard, and <strong>we adapt the "three-legged" client/user/server protocol flow of OAuth 1.0 to a "two-legged" client/server model</strong>. In our adaptation of OAuth for authenticated client/server requests, the client acts as both the API client and the user (i.e., owner of the requested resource). So, instead of being redirected to the client with a token verifier, the client acts as a user and directly accesses the server for the OAuth verifier. The accessibility check happens when the client requests a resource from the server with an access token obtained using the previously obtained verifier. You can reuse access tokens until they expire (after two hours). After the tokens expire, you must request a new access token. Examples will clarify this further.<hr />
I'd like to find a PHP OAuth Library that can use the API requirements I have for accessing the third party's company API. I really don't know how to implement this. My current thought is to reverse engineer the facebook php api but I don't know if it uses 3 endpoints. Also, some help with getting it operational or directing me to a resource where I can figure it out myself would be great.
** NOTE: I found this: <a href="https://code.google.com/p/oauth-php" rel="nofollow">click here</a> Can this be the solution I am looking for?Answer1:
Facebook uses OAuth 2.0 so it's API is out of the question. Check <a href="http://www.cheatography.com/kayalshri/cheat-sheets/oauth-end-points/" rel="nofollow">here</a> for some basic API references - BitBucket, Twitter and Yahoo all use v1.0a for example.
PHP has an <a href="http://www.php.net/manual/en/book.oauth.php" rel="nofollow">OAuth Extension</a> so if you're building a custom solution you should definitely start there. The library that you're referencing <a href="https://code.google.com/p/oauth-php/wiki/ConsumerHowTo#Two-legged_OAuth" rel="nofollow">does provide Two Legged OAuth</a> so on a first glance it does seem as an option for you. <em>Disclaimer on the last sentence</em>: I haven't used this library however I checked the documentation. A nice explanation with UML sequence charts can be found <a href="http://blog.nerdbank.net/2011/06/what-is-2-legged-oauth.html" rel="nofollow">here</a>. It is just general OAuth not PHP specific but does provide a nice deep explanation. <a href="https://github.com/Lusitanian/PHPoAuthLib" rel="nofollow">This GitHub repo</a> contains reusable <strong>clients</strong> for my services - you can also get some ideas from there if your clients are going to be PHP.
Your case seems very interesting and there is no full answer to your question. If I were you I'd first take the time to check the code behind the Google Code
oauth-php library that you reference in the Two-Legged Section (and not only). Then decide if you should in fact use this library, another or a custom implementation. You may also have other requirements/showstoppers that may affect your decision (I know you'd be wanting to push some big amounts of data from your other question. ;) ) The 2 hour token is a good performance optimization but is it too long of an authentication/authorization lease?