Social Media Authentication and Authorization Using PHP
Years ago, the OpenID standard was created as a way to make access to websites easier for users. Instead of having to create, and remember, a new username/email address and password combination at every site a user goes to (even once), a user can provide his or her OpenID information to sites that support it, and a new registration will not be required. But OpenID only provides authentication. A better feature is authorization: granting access to certain aspects of a user’s account on another site.
This is where OAuth comes into play. It sprang out of Twitter’s OpenID implementation, and provides a foundation for authorizing access and actions across websites. For example, on your site, OAuth can be used to:
- Display a user’s Facebook status
- Share an image from a user’s Flickr or Instagram account
- Embed video from a user’s Vimeo account
Each of these sites, as well as dozens of others, has the power to make its user accounts available through an Application Programming Interface (API), once the proper authentication and authorization has taken place. By tying into these interfaces, users can access your site without registration, and your site can use aspects of the user’s account at these other sites (with permission, of course). The trick is in knowing how.
Choosing a Library
You can certainly use your own PHP code, and each provider’s documentation, to perform authentication and authorization requests. But that approach is both time-consuming and fraught with frustration.
Better yet, you could instead use a simple library, such as Janrain’s OpenID Enabled or the PEAR OpenID package. But even that approach will require a bit of work to support multiple providers (e.g., Facebook and Twitter and Google and…).
My recommendation is to use the HybridAuth library instead. It’s easy to use, reliable, well-documented, and open source. I’ll explain how to install it and then show some code for using it to connect to Twitter. But first, you’ll need to “register” your website with whatever provider you plan to use, so let’s look at that process first.