OAuth2 and Drafts

Question

I'm going to implement on my site a OAuth Provider, but I'm little confused:

There are many drafts, of the client and of the server version. I have to use the same version right? In many implementations the draft version isn't even written! Is it really important? Any advice?

Implementations I found:

• https://github.com/quizlet/oauth2-php
• http://code.google.com/p/oauth2-php/

With Zend ( that I really need )

• https://github.com/chrisweb/oauth-2---facebook---zend-framework-components/tree/master/library/Zendenter link description here
• https://github.com/smalyshev/Zend_OAuth_Provider ( probably OAuth1 )

Answer 1

If you are developing your own OAuth provider, I would strongly encourage you to look at OAuth 2.0, it's simpler to implement some of the most common use cases compared to OAuth 1.0A due to cryptographic requirements.

Although it's not a finalized spec as far as the IETF goes, it has every indication that it will be. People who have been actively working on the spec and implementing it have claimed it's stable for well over a year now. Here's a good example: https://stackoverflow.com/questions/4461945/oauth-2-0-final-specification

Go with the latest draft of the OAuth 2.0 framework spec: http://tools.ietf.org/html/draft-ietf-oauth-v2-27

Most supplementary specs that would be of relevance to you are likely linked from it. The Bearer token spec is something you'd need to digest: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20

If you have a budget and are looking for something "off the shelf" - you may want to consider a commercial OAuth 2.0 AS product such as PingFederate: https://www.pingidentity.com/en/software/pingfederate.html

(Disclaimer: I work for Ping).

Answer 2

http://code.google.com/p/oauth2-php/ is fine as a starter. It has it's documentation provided in an extra download: oauth2-php-doc-23.tar.gz