Authorization on the site through Mail.ru (oAuth 2.0)

Hello!
On Habré there was already an article from Nodge about authorization on various services, including Mail.ru. But it was for Yii and the process itself was not described in detail. There was also an article from propovednik , but it described the authorization process via javascript + php. In this article I would like to analyze server authentication method in detail. PHP and server-server model will be used for authorization.

Step 1. Site registration

We follow the link http://api.mail.ru/sites/my/add and register our site. Next, download and upload to the ftp file receiver.html, which is needed to verify our site.
After registration, we will be given 3 parameters:

• ID
• Private key
• The secret key

We will be interested only in the ID and the Secret key (the Private key is needed for the client-server model). Let's save them in the configuration file of our script under the following names.

$APP_ID; $APP_SECRET; 

Step 2. Getting the Code

To obtain the Code, you need to contact the address connect.mail.ru/oauth/authorize , passing it $ _GET parameters:

• client_id - site ID
• response_type - 3 options to choose from. token - access to the API will be provided only through javascript, code_and_token - access to the API through the server and javascript, code - access to the API through the server. In our case, it will be a code .
• redirect_uri - Address of the receive_ response_type page
• scope - Application privileges . The parameter is optional for filling and in our case it is redundant. If you decide to request privileges, then note that not all users will want to send you their private data, so you simply do not need to use the scope parameter for authorization.

For convenience, let us divide the logic for generating a link to receive a code and process it:
example.com/login.php - generate a link to get the code (in fact, a link for authorization).
example.com/auth.php - processing code.

The final query will look like this:

 $redirect_uri = urlencode("http://example.com/auth.php"); $login_url = "https://connect.mail.ru/oauth/authorize?client_id={$APP_ID}&response_type=code&redirect_uri={$redirect_uri}"; 

Having passed to this address, an unauthorized user on Mail.ru will see:

If the user is authorized on Mail.ru, then he will see the same window, but without entering a login and password.
Now the user has 2 options: allow and deny. By banning, the user will be redirected to the page specified in redirect_uri with an error.
')
If everything went as it should and the user allowed the site to access their data, the user will be redirected to the redirect_uri page (http://example.com/auth.php), with the $ _GET code parameter.
Save it as

 $APP_CODE; 

Step 3. Getting token and uid

Next, we need to exchange the received code for the session identifier (token) and the user id Mail.ru on whose behalf access to the API is being made.

For this you need to contact the address connect.mail.ru/oauth/token , passing it the parameters:

• client_id ($ APP_ID)
• client_secret ($ APP_SECRET)
• grant_type (authorization_code)
• code ($ APP_CODE)
• redirect_uri ($ redirect_uri from step 2)

All parameters are required. redirect_uri should exactly match the one we used in step 2.

The request for receiving token can be executed only through a POST request, so cURL to help:

 $ch = curl_init(); $url = "https://connect.mail.ru/oauth/token"; $fields = Array( 'client_id' => $APP_ID, 'client_secret' => $APP_SECRET, 'grant_type' => "authorization_code", 'code' => $APP_CODE, 'redirect_uri' => urlencode(redirect_uri) ); foreach($fields as $key => $value){ $fields_string .= $key . '=' . $value . '&'; } rtrim($fields_string, '&'); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string); $result = curl_exec($ch); curl_close($ch); $arr = json_decode($result, true); // $arr = (array) json_decode($result).  - ,   ? $token = $arr['access_token']; $uid = $arr['x_mailru_vid']; 

Step 4. Get user data

After receiving token and uid, the site gets long-awaited access to the Mail.ru API at www.appsmail.ru/platform/api .
But not everything is so simple, every request to the API must be signed. The signature (in our case) is a hash calculated using the md5 algorithm from an alphabetically sorted string, from the parameters passed to the API without a separator & and the Private key .
For example:

 md5('app_id=423004method=friends.getsession_key=be6ef89965d58e56decdfacb9b62bdaa' . $APP_SECRET); 

Mail.ru provides 2 signature options: client-server and server-server. The difference lies in the greater security of the 2nd approach. We will use it. To do this, the request to the API must specify secure = 1 .

We will execute the request for receiving the personal information of the Mail.ru user using the users.getInfo method.

 $request_params = Array( 'app_id' => $APP_ID, 'uids' => $uid, 'method' => 'users.getInfo', 'secure' => 1, 'session_key' => $token ); //        ksort($request_params); $params = ''; foreach ($request_params as $key => $value) { $params .= "$key=$value"; } //  -    $sig = md5($params . $APP_SECRET); //  $url = "http://www.appsmail.ru/platform/api?method=users.getInfo&app_id={$APP_ID}&session_key={$token}&sig={$sig}&uids={$uid}&secure=1"; $response = file_get_contents($url); $info = (array) json_decode($response); $info = $info[0]; //  print_r($info); 

That's all. Thus, we obtained the data we need to enter the user into the database. The whole further process has been repeatedly described, for example, here . So I see no reason to describe it.

PROFIT !! 1 All good. If the article turns out to be interesting, I can also parse the process of server-based oAuth 2.0 authorization for Vkontakte and Facebook.

Links

• Mail.ru authorization documentation
• Mail.ru REST API
• Additional privileges for applications