Skip to main content

Open Source Bridge - OAuth: an Open Specification for Web Services

John Jawed -
  • talk is about oauth at a high level and the problems it tries to solve
  • won't get low-level into the spec, etc.
  • problem - rasmus has private photos on flickr but wants to print them out using kodak's online photo printing service?
  • before oauth: have to give kodak your flickr user name and password
    • too powerful
      • can change passwords, delete photos, delete account
  • e.g. has anyone had to share their twitter u/p with another site to gain access?
  • how about some identifier issued by flickr to kodak?
    • would allow someone else to access your account but only with certain permissions and only for a certain length of time
  • for a few years we've had ...
    • yahoo bbauth
    • google authsub
    • aol openauth
    • windows live id
    • flickr token auth
    • many others
  • equivalent but different model -- drove the creation of oauth
  • the oauth dance
    • kodak sends rasmus to flickr
    • flickr asks rasmus: kodak wants to access your private photos
    • rasmus: sure!
    • flickr gives kodak a token with a secret
    • kodak makes api requests to flickr using the token/secret
    • fin
  • behind the scenes ...
    • timestamps
    • nonces
    • tokens
    • secrets
    • refresh tokens
    • signatures -- "ssl bastardized"
      • handy if requests aren't over https
  • yahoo big on openid and oauth
    • internal implementers at yahoo found oauth difficult to use
    • designed to address problems with working with oauth
      • open source (bsd)
      • mature
      • supports tlaking to oauth apis
      • supports creating oauth apis
      • available as a php extension
  • code sample -- using oauth in php
    • start the session
    • create a new oauth object using api key
    • get request token using endpoint, e.g. twitter's request token url
    • redirect user to authentication url
    • after authentication, get an access token for interaction with the target service, e.g. twitter
    • fetch method in the oauth object handles all the token negotiation for you
  • to use oauth you don't need to understand the spec, just need to understand the flow
    • get request token (throw-away token)
    • get access token (token used to sign requests)
  • netflix example
    • pretty similar to twitter, but also need to pass user id
  • financial services example - wepay (paypal for groups)
    • similar paradigm--get request token, authorize access, get access token, interact with service
    • wepay also includes a verifier in addition to the tokens
  • example with no user
    • sign request with secret and api key--consumer key and consumer secret
  • what about accepting oauth in your API?
    • create oauthprovider object in php
    • get consumer key from caller, make sure it's still valid
    • three handlers
      • $provider->is2LeggedEndpoint()
      • $provider->consumerHandler()
      • $provider->timestampNonceHandler()
    • google: rasmus oauth to see full example walkthrough
  • oauth for php supports
    • all oauth paramer types
    • hmac-sha1, rsa-sha1
    • 1.0a
    • oauth extensions: session, problem reporting
    • setting millisecond request timeouts
    • and much more
  • oauth 2.0
    • still a work in progress
    • same token paradigm
    • profile-based (web, client, etc.)
    • oauth 1.0 with session extension
    • oauth 1.0 implementations will be around for a long time
    • will be supported in pecl/oauth
    • problem oauth 2.0 tries to solve is that oauth 1.0 is very browser-focused, lots of requests/redirects
      • support for non-browser flow, native client flow, etc.


Popular posts from this blog

Installing and Configuring NextPVR as a Replacement for Windows Media Center

If you follow me on Google+ you'll know I had a recent rant about Windows Media Center, which after running fine for about a year suddenly decided as of January 29 it was done downloading the program guide and by extension was therefore done recording any TV shows.

I'll spare you more ranting and simply say that none of the suggestions I got (which I appreciate!) worked, and rather than spending more time figuring out why, I decided to try something different.

NextPVR is an awesome free (as in beer, not as in freedom unfortunately ...) PVR application for Windows that with a little bit of tweaking handily replaced Windows Media Center. It can even download guide data, which is apparently something WMC no longer feels like doing.

Background I wound up going down this road in a rather circuitous way. My initial goal for the weekend project was to get Raspbmc running on one of my Raspberry Pis. The latest version of XBMC has PVR functionality so I was anxious to try that out as a …

Running a Django Application on Windows Server 2012 with IIS

This is a first for me since under normal circumstances we run all our Django applications on Linux with Nginx, but we're in the process of developing an application for another department and due to the requirements around this project, we'll be handing the code off to them to deploy. They don't have any experience with Linux or web servers other than IIS, so I recently took up the challenge of figuring out how to run Django applications on Windows Server 2012 with IIS.

Based on the dated or complete lack of information around this I'm assuming it's not something that's very common in the wild, so I thought I'd share what I came up with in case others need to do this.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Assumptions and CaveatsThe operating system is Windows Server 2012 R2, 64-bit. If another variant of the operating system is being used, these instructions may not work properly.All of the soft…

Setting Up Django On a Raspberry Pi

This past weekend I finally got a chance to set up one of my two Raspberry Pis to use as a Django server so I thought I'd share the steps I went through both to save someone else attempting to do this some time as well as get any feedback in case there are different/better ways to do any of this.

I'm running this from my house (URL forthcoming once I get the real Django app finalized and put on the Raspberry Pi) using I don't cover that aspect of things in this post but I'm happy to write that up as well if people are interested.

General Comments and Assumptions

Using latest Raspbian “wheezy” distro as of 1/19/2013 (’lll be using Nginx ( as the web server/proxy and Gunicorn ( as the WSGI serverI used heavily as I was creating this, so many thanks to the author of that tutorial. If you’re looking for more details on …