New Open-Source Launch: A PHP-based Proxy to NPR’s OAuth Server

I love my job and the work that I've had the opportunity to do here at NPR; I have no desire to go anywhere else. However, if there's one thing I wish we'd improve within our development team, it's our lack of contribution to the open-source community. Nearly all of our code is proprietary; we very rarely release anything to the public. So, it's with no small amount of pride that I can finally say we launched an open-source project today!

That said, ironically, releasing this package will likely be a bigger deal to my team than it will be for potential users. I'm on the NPR One Platform team, and our goal is to expand NPR One to platforms beyond the mobile apps that we develop in-house. Our strategy is to work with third-party developers and empower them to build NPR One apps themselves, which we’ve accomplished by opening up our API and providing thorough documentation. This approach has worked well so far, allowing us to launch on Amazon FireTV and justDrive™, and leading to partnerships with many other apps currently in our development pipeline.

Despite these early successes, the #1 piece of feedback our team has received from our partner developers is that implementing our OAuth flow has a steep learning curve (we use the OAuth 2.0 protocol to secure our endpoints). Since you cannot really do anything with our API until you have an access token, this can be an early blocker to folks who want to test out our API on their platform. We’ve done our best to continue to improve our documentation, but we wanted to do more to remove any barriers that might prevent a developer from engaging with NPR One.

As a result, we are releasing working, well-tested code to act as a proxy for our OAuth platform. We even use this code in production ourselves! In short, in open-sourcing this package, our team hopes to:

  • Provide a quick-start tool to help new third-party developers generate access tokens almost out-of-the-box
  • Present the source code as a companion to our documentation, providing a real-world example of how to build an OAuth client
  • Assist existing partners with implementing refresh tokens, which we will begin to gradually phase in for both old and new clients before the end of the year
  • Provide a server-side companion to our NPR One JavaScript SDK, which our team is planning to open-source within the next month or two (!)

That last bullet point is likely the most exciting to other developers; the NPR One JavaScript SDK is what currently powers all of the communication between the NPR One API and the recently-rebuilt NPR One Webapp. By developing the SDK separately from the Angular 2 user interface, we made it our goal to abstract away as much of the complicated business logic as possible; creating a developer experience that is much more intuitive and user-friendly.

By releasing this SDK we hope to provide another learning aide and companion to our developer guide, as well as a utility for partner-developers working in JavaScript to reduce the ramp-up time, and a fun toy box for the general public. We’re excited to open up the SDK to the public and see what you all make with it; we just need a little more time to clean up the code, write more tests, and put our finishing touches on the documentation, so please check back for updates over the next few months.

Now, back to our reasoning behind releasing the server-side proxy as a separate project: the one thing the SDK will not do for you is generate access tokens. Both the Authorization Code and Device Code grant types (the two mechanisms for generating access tokens available to third-party developers using NPR’s OAuth server) require an OAuth2 client_secret. However, since the source code for web applications written in a client-side language (like JavaScript) cannot be kept private, a server-side proxy is required to safely make calls to the authorization server and prevent NPR One client credentials from being compromised in public source code. This is precisely the purpose that our proxy serves.

As for why we chose PHP: the majority of our products here at NPR are written in PHP, and we believe PHP is the most accessible language for outside developers. It’s still one of the most widely-used programming languages on the web; even the simplest shared hosting server supports PHP. And even if you’re not a PHP developer, the hope is that you can still fairly easily read and understand the source code.

The code is available on GitHub but it is intended to be added to your project using Composer, the primary dependency manager for PHP:

[sudo] composer install npr/npr-one-backend-proxy

This project assumes that you have already registered for an account at the NPR One Developer Center and have your client_id and client_secret ready. If you do not already have a Dev Center account, you can register for a personal account and get started immediately.

Check it out and let us know what you think!

Like what you read? Give Nara Kasbergen a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.