OAuth PHP library - 2nd Party Implementation

Posted By: Jas Singh

My previous blog post illustrated how to use the OAuth PHP library to access the API. That post was targeted towards 3rd party Consumer application. If you are a 2nd party, the code to accomplish the same is a lot shorter.

  1. Open the AppConfig.php file inside the OAuth folder. This file contains configuration values specific to your application. You now need to fill in the values for the following variables.

    • consumer_key: This is the consumer key which you got from your Service Provider.
    • consumer_secret: This is the consumer secret which you got from your Service Provider.
    • base_url: This is the URL of the Service Provider.

    Next you will need to set a path which will be used to request tokens.

    • accesstoken_path: This is the relative path to request an access token. These paths are different for a Weblink user and a Portal user. See "2nd Party credentials based authentication basic workflow" in the API documentation for more details
  2. Open the index.php file.

    Create an instance of OAuthClient:

    $consumer_key = AppConfig::$consumer_key;
    $consumer_secret = AppConfig::$consumer_secret;
    $apiConsumer = new OAuthClient(
    2nd party consumer skips getting the request token part. Instead, the username and password is passed in the request body.

    $username = "[your user name]";
    $password = "[your password]";
    $requestURL = sprintf("%s%s",

    SET the username and password:

    $requestBody = Util::urlencode_rfc3986(
            sprintf("%s %s", $username, $password)
    $getContentType =
          "Accept: application/json",
          "Content-type: application/json"
    $requestBody = $apiConsumer->postRequest(

    By default, the POST request is sent using Content-Type: application/x-www-form-urlencoded. To override this, we use content type other than application/x-www-form-urlencoded.

    The last parameter is the HTTP Code we are expecting the call to return. The PHP library will check the status code you pass in against the one returned by the API call to make sure the call was successful. By default, any API call using GET will return 200 while POST will return 201.

  3. Parse the response and retrieve the access token and the token secret:

    preg_match("~oauth_token\=([^\&]+)\&oauth_token_secret\=([^\&]+)~i", $requestBody, $tokens);
    $access_token = $tokens[1];
    $token_secret = $tokens[2];
  4. Every time you want to access protected resources, you need to initialize the OAuthClient with access token and secret. Skipping this step may result in 400 Bad Request response from the API

    $apiConsumer->initAccessToken($access_token, $token_secret);

    To make requests for protected resources:

    $response = apiConsumer->doRequest(
      $requestUrl, $getContentType

Posted In: API, Tips,

Jeff Heck said: on June 24, 2009 at 04:30 PM

I’m trying to a People Search for “jeff”.

$response = $apiConsumer->doRequest($requestURL2,  $getContentType);
is returning a blank string.

$requestURL2 = ‘https://(removed church code in case this is a security risk).staging.fellowshiponeapi.com/v1/People/Search?searchFor=jeff’;

I’m getting tokens, so I did something right up to this point. smile

Thanks for your help.

Jas said: on June 25, 2009 at 02:35 PM

After you get the access token and secret, you would need to set it using the following code:
$apiConsumer->initAccessToken($access_token, $token_secret);
Add the above line before:
$response = $apiConsumer->doRequest($requestURL2,  $getContentType);

Jeff Heck said: on June 25, 2009 at 02:53 PM

Thanks for the response, Jas.

I added the code and I’m still coming up with nothing.

Jas said: on June 25, 2009 at 02:58 PM

You can turn the debugging on in the AppConfig file.
Open AppConfig file and set $debug to 1.
After you do this, you should see 2 sections starting with “Start Debug”.
As you are saying that you are getting the access token and secret fine, the first Section should have http_code of 200. Look at the second section and search for http_code in that. It should tell you the response code you getting. If you look further down in the “response” array printed, it should tell you the detailed error message.

Jeff Heck said: on June 25, 2009 at 04:10 PM

Got a 500 - application error.  I’m running on a Godaddy Linux server.

No time to fix today.  I’ll look at tomorrow.

Thanks for your help.

Jeff Heck said: on June 26, 2009 at 02:28 PM

The 500 status code is for the fellowshipapi.com address. “Server Error in ‘/v1’ Application.”

Jas said: on June 26, 2009 at 02:59 PM

Make sure your consumer secret is all lower case. I think when we initially started giving out the keys, it was sent out uppercase by mistake. For example if your key is 9812ABC12 then change it to 9812abc12.

Jeff Heck said: on June 26, 2009 at 03:07 PM

Yes, it is in lowercase.

Jeff Heck said: on July 7, 2009 at 09:44 AM

Any word yet on my problem?

Jas said: on July 8, 2009 at 10:40 AM

I noticed couple of things from the debugging information sent:
You are making 2 requests. One for getting the access token and secret, and the second one for making an API call using people search. The first call is successful, and you get the tokens right. The second call, however fails. Couple of things i noticed
1) The request is a POST. It should be a GET
2) Look under GET_INFO->request_header. You will notice that the request has Content-Length and some credentials. You dont need that

I dont know what code you using, but here is a sample code which you can use from your second call:
$requestURL2 = AppConfig::$base_url.AppConfig::$f1_people_search.’?searchFor=jeff’;
$apiConsumer->initAccessToken($access_token, $token_secret);
$response = $apiConsumer->doRequest($requestURL2,  $getContentType);

doRequest is a GET request. Also in the second call, you dont pass in the request body, so it should not send the credentials. Hope that helps

Jeff Heck said: on July 27, 2009 at 11:51 AM

And I’m back.

I copied the files to a different server and the debug reported I was sending a GET request_header instead of a POST request like on the first server, so something on the web server may not be set right.

Is there a system requirements list for the API? What should I look for in the phpinfo() report?

You can see the second server results (shows GET instead of POST) here: [[link removed]]

The code is here: http://www.btcchurch.com/FTOAuth/secondpartycode.html

Thanks for your help,

Jas said: on July 27, 2009 at 12:06 PM

Glad to have you back!!.
I was looking at the debug information. Your URL doesnt seem to be correct.
Your seach Url is https://btccevvin.staging.fellowshiponeapi.com/v1/People/Search/?searchFor=jeff

It should be https://btccevvin.staging.fellowshiponeapi.com/v1/People/Search?searchFor=jeff ( Remove ‘/’ after Search. In your code replace $searchRequestURL = AppConfig::$base_url.AppConfig::$f1_people_search.’/?searchFor=jeff’; with
$searchRequestURL = AppConfig::$base_url.AppConfig::$f1_people_search.’?searchFor=jeff’;
), Hopefully that will work. As for GET vs POST, the second request is supposed to be a GET, so it is working as designed.
If you able to get it working, please leave a comment on this blog

Jeff Heck said: on July 27, 2009 at 12:12 PM

Slash removed and no change.

Commenting is not available in this channel entry.


Previous Posts:

Subscribe to the RSS feed!