Download presentation
Presentation is loading. Please wait.
1
Nordaaker Web Services with OAuth
2
What is OAuth? A simple open standard for API Authentication
3
Do we need it? We’ve got OpenID ★ Not a replacement, a complementary API. ★ OAuth is Authorization, Openid is Authentication ★ OpenID users don’t have passwords, so can’t ask them for that when they try to access the API ★ OAuth is token based, does not require password
4
A bit more about OAuth ★ Not a new idea - FlickrAuth, Google AuthSub, BBAuth, etc. ★ Open Standard - http://oauth.net/http://oauth.net ★ Wide industry support ★ AOL, Eye-Fi, Facebook, Garmin, Google, LinkedIn, Ma.gnolia, Microsoft, MySpace, Plaxo, Pownce, Salesforce, Songbird, Veodia, and Yahoo!. and more! ★ Easy to understand ★ Easy to implement
5
The Usual Suspects
6
The Conversation ★ Hey Appfresh update my iusethis count Lemme check with iusethis ★ Hey iusethis, can I update marcus’ apps? Here’s a ticket, give that to him,and I’ll check with him * iusethis hands appfresh a request token ★ Hey marcus, get this ticket stamped with iusethis so I can update your data for you, please *meh*, allright ★ * appfresh opens a browser window to iusethis Marcus, you fine with appfresh updating your counts? Go ahead already, I’m waiting here Ok, here’s a stamp for your ticket. * iusethis marks the token as approved ★ * appfresh hands the request token over to iusethis and gets an access token in return once iusethis sees that it is approved * appfresh updates my iusethis counts. *yay*
7
The data flow ★ Consumer must be registered with service ★ Consumer sends a signed OAuth request to the request_token endpoint, service provider returns a token as a post body in the response content ★ Consumer opens the user auth endpoint with the specified token. if web service, provide a callback to redirect back after auth. user verifies token, and returns to service ★ Consumer hits access token endpoint with request token and gets a valid access token
8
The OAuth request ★ POST/GET Request ★ oauth_consumer_key => 'foo', ★ oauth_consumer_secret => 'bar', ★ oauth_request_method => 'POST', ★ signature_method => 'HMAC-SHA1', ★ oauth_timestamp => '1191242090', ★ oauth_nonce => 'hsu94j3884jdopsl',
9
Adding this for your Catalyst based API ★ We need to store data somewhere ★ I’ll use a DBIC model in this example: ★ DB::Consumer ★ DB::RequestToken ★ DB::AccessToken ★ Then we just use Net::OAuth directly in the controller:
10
request_token method ★ my $oauth_params = $c->get_oauth_parameters(@params); ★ my $consumer=$c->model('DB::Consumer')->find( ★ $c->req->params->{consumer_secret}) ★ or $c->detach('/usererror', ★ ["Consumer not registered"]); ★ my $request = eval { ★ Net::OAuth::RequestTokenRequest->new( ★ request_url => $c->req->uri, ★ request_method => $c->req->method, ★ consumer_secret => $consumer->secret, ★ signature_key => $c->get_signature_key, ★ ) ★ }; # handle errors here ★ $c->stash->{requesttoken}= ★ $consumer->new_requesttoken($request);
![request_token method ★ my $oauth_params = ★ my $consumer=$c->model( DB::Consumer )->find( ★ $c->req->params->{consumer_secret}) ★ or $c->detach( /usererror , ★ [ Consumer not registered ]); ★ my $request = eval { ★ Net::OAuth::RequestTokenRequest->new( ★ request_url => $c->req->uri, ★ request_method => $c->req->method, ★ consumer_secret => $consumer->secret, ★ signature_key => $c->get_signature_key, ★ ) ★ }; # handle errors here ★ $c->stash->{requesttoken}= ★ $consumer->new_requesttoken($request);](http://images.slideplayer.com/14/4193888/slides/slide_10.jpg "request_token method ★ my $oauth_params = ★ my $consumer=$c->model( DB::Consumer )->find( ★ $c->req->params->{consumer_secret}) ★ or $c->detach( /usererror , ★ [ Consumer not registered ]); ★ my $request = eval { ★ Net::OAuth::RequestTokenRequest->new( ★ request_url => $c->req->uri, ★ request_method => $c->req->method, ★ consumer_secret => $consumer->secret, ★ signature_key => $c->get_signature_key, ★ ) ★ }; # handle errors here ★ $c->stash->{requesttoken}= ★ $consumer->new_requesttoken($request);")
11
verifying the request ★ sub verify_access : Local { ★ my ($self,$c)=@_; ★ $c->res->redirect($c->uri_for(‘/login’) ★ unless $c->user_exists; ★ my @params = qw/consumer_key signature_method ★ signature timestamp nonce token version/; ★ # find and validate token ★ ★ return $c->res->redirect('/login') ★ unless $c->user_exists; ★ if($c->req->params->{verify}) { ★ $token->verified(1);$token update; ★ }
12
access_token ★ my ($self,$c)=@_; ★ my $consumer=... # like previous ★ my $request = eval { Net::OAuth::AccessTokenRequest ★ ->new( ★ request_url => $c->uri_for( ★ '/oauth/access_token'), ★ request_method => $c->req->method, ★ consumer_secret => $consumer->secret, ★ token_secret => $request_token->secret, ★ signature_key => $signature_key, }; ★ $token= $consumer ★ ->get_access_token($oauth_params{token}) || ★ $c->detach('/usererror',['Request token not found']); ★ $c->stash->{access_token}=$token ★ ->create_access_token($token);
13
A bit of work ★ In addition you need a method to verify that the access token was provided for api methods ★ A bit of a hassle right now ★ Will commit a server example to catalyst-trunk shortly ★ Watch for Catalyst-Controller-OAuth sometime in the near future. ★ Might also be a Reaction component
14
Jifty ★ Jifty::Plugin::OAuth makes this easy. ★ Add this to your config file : ★ And presto: framework: Plugins: - OAuth: {}
15
Jifty Screenshot
17
Jifty continued ★ Make sure that /oauth/authorize requires login. ★ Make sure that /oauth/request_token and /oauth/access_token doesn’t. ★ In beta. Still has some limitations. Consumers has to be manually registered.
18
Example: GMail contacts at OAuth
20
Behind the curtain ★ my $request = Net::OAuth ->request("request token")->new( $c->_default_request_params, request_url => $c->config->{request_token_endpoint}, extra_params => { scope=> $c->config->{request_scope}, }); ★ $request->sign($c->_get_key); ★ my $res = $ua->request(GET $request->to_url);
21
Behind the curtain ★ $request = Net::OAuth->request('user auth')->new( token => $response->token, callback => $c->uri_for('/callback'), ); ★ return $c->res->redirect( $request->to_url($c->config->{user_auth_endpoint}));
22
Example: GMail contacts at OAuth
23
Behind the curtain ★ my $response = Net::OAuth->response('user auth') ->from_hash($c->req->params); ★ my $request = Net::OAuth->request("access token") ->new( $c->_default_request_params, request_url => $c->config->{access_token_endpoint}, token => $response->token, token_secret => ''); ★ $request->sign($c->_get_key); ★ my $res = $ua->request(GET $request->to_url);
24
Behind the curtain ★ $response = Net::OAuth ->response('access token') ->from_post_body($res->content); ★ $c->session->{token}= $response->token; ★ # use the token my $request = Net::OAuth->request("protected resource")->new($c- >_default_request_params, request_url => $c->config->{contacts_feed_url}, token => $c->session->{token}, token_secret => '',); ★ # sign, lwp my $res = $ua->request(GET($request->request_url, Authorization => $request->to_authorization_header));
25
Get the Source ★ Ported from the Original CGI::App example included in Net::OAuth ★ Get the source in Catalyst repo ★ http://dev.catalyst.perl.org/repos/Catalyst/trunk/e xamples/OAuthExample
26
Nordaaker Questions?
27
Nordaaker Thank you! marcus@nordaaker.com
Similar presentations
