Best way to use Zend_Oauth_Consumer without cookies and without session

Question

I am developing gadget with tech requirements: "no Cookie, no Session". I have the following code:

<?php

class LinkedIn
{

 private $options;
 private $consumer;
 private $client;
 private $token;


 public function __construct($params)
 {
  // set Zend_Oauth_Consumer options
  $this->options = array(
   'version' => '1.0',
   'localUrl' => $params['localUrl'],
   'callbackUrl' => $params['callbackUrl'],
   'requestTokenUrl' => 'https://api.linkedin.com/uas/oauth/requestToken',
   'userAuthorizationUrl' => 'https://api.linkedin.com/uas/oauth/authorize',
   'accessTokenUrl' => 'https://api.linkedin.com/uas/oauth/accessToken',
   'consumerKey' => $params['apiKey'],
   'consumerSecret' => $params['secretKey']
  );

  // instanciate Zend_Oauth_Consumer class
  require_once 'Zend/Loader.php';
  Zend_Loader::loadClass('Zend_Oauth_Consumer');
  $this->consumer = new Zend_Oauth_Consumer($this->options);
 }


 public function connect()
 {
  // Start Session to be able to store Request Token &amp; Access Token
  session_start ();

  if (!isset ($_SESSION ['ACCESS_TOKEN'])) {
   // We do not have any Access token Yet
   if (! empty ($_GET)) {
 // SECTION_IF
    // But We have some parameters passed throw the URL

    // Get the LinkedIn Access Token
    $this->token = $this->consumer->getAccessToken ($_GET, unserialize($_SESSION ['REQUEST_TOKEN']));

    // Store the LinkedIn Access Token
    $_SESSION ['ACCESS_TOKEN'] = serialize ($this->token);
   } else {
 // SECTION_ELSE
    // We have Nothing

    // Start Requesting a LinkedIn Request Token
    $this->token = $this->consumer->getRequestToken ();

    // Store the LinkedIn Request Token
    $_SESSION ['REQUEST_TOKEN'] = serialize ($this->token);

    // Redirect the Web User to LinkedIn Authentication Page
    $this->consumer->redirect ();
   }
  } else {
   // We've already Got a LinkedIn Access Token

   // Restore The LinkedIn Access Token
   $this->token = unserialize ($_SESSION ['ACCESS_TOKEN']);

  }

  // Use HTTP Client with built-in OAuth request handling
  $this->client = $this->token->getHttpClient($this->options);

 }
}

It's working perfect. But REQUEST_TOKEN stored in SESSION. How can I put it to query string in SECTION_ELSE, and get it back in SECTION_IF? Thanks for all the advice.

Answer 1

The key point is that your system needs to:

1. persist the OAuth tokens between user requests to your server, and
2. tie them to a specific user. 

Using a session, whose id comes from either a cookie or from the querystring, is one way to do that.

But if sessions are off the table, then you need some other way to identify the current user and store his OAuth tokens.

If you are truly working in a no-session environment, then how do you even know who the user is? Basic Auth? In the absence of user authentication on your side, I don't see how you'll be able associate OAuth tokens to specific users.