I would like to get CPAN Sidekick setup for authentication so that users can vote and take other authorized actions through the Android app.
for testing, you can use https://api.metacpan.org/oauth2/authorize?choice=twitter&client_id=metacpan.dev
It will redirect to localhost:5001 with the a code query string. I know that in iOS you can watch the URL in the UIWebView and extract the code parameter. Close the WebView, the rest happens in your App.
Once you have that you have to request https://api.metacpan.org/oauth2/access_token?client_id=metacpan.dev&client_secret=ClearAirTurbulence&code=[CODE] which will return an access token. Use that to retrieve user data and favorites: https://api.metacpan.org/user?access_token=[ACCESS_TOKEN]
I will set you up with a different client_id and client_secret if everything works for you. Please have a look at the metacpan-web repository for adding favorites and so on.
That doesn't actually work for what I want to do here, which is to take advantage of the built-in authentication tools of Android, which will fetch the various OAuth tokens from Twitter (or Facebook or Github as long as the user has that site's app installed) without requiring the user to login again. The mobile user sees a "Grant Permissions" dialog and clicks "Allow" or "Deny" to let the app reuse the credentials already stored with the Twitter app.
However, I believe that the client_id and client_secret give me enough information to fill in the rest. I'm now experimenting to see how far I can get from here.
Well, you actually want to authenticate against api.metacpan.org and not twitter since you want to get access to the favorites and stuff. It just happens that metacpan is using twitter to authenticate the user, but you don't actually have control over that. Let's see what you find out :)
Right, I was hoping that I could somehow use the Android AccountManager's SSO to authenticate with api.metacpan.org. Via the SSO interface, I can gain access to the user's access tokens for Twitter, Facebook, and Github. However, it's the authorization process itself that allows api.metacpan.org to be confident of the identity of the user.
While the AccountManager SSO on Android allows me to gain access to the user's identity for use within the application, it doesn't really help here. It only gives me half of the information required to actually share the identity of the user with a third party. I get an access token and a token secret, but I do not have access to the consumer secret required to sign requests. Even if I did, I'm not sure CPAN Sidekick and api.metacpan.org are really a position to legitimately share a consumer secret. Of course, that still wouldn't allow for SSO to work.
So, using the Android SSO to do this as is seems to be a bust. I must either:
I do want to investigate what might be possible if Google authentication (issue #241) were available as Google provides lots of options with their own authentication that aren't available to these other third parties, but I have no idea if that will be any more productive than trying to use Twitter/Facebook/Github. It seems doubtful at this point.
Now that Google Auth is available to login to MetaCPAN, I'm still hoping for some way to make this work with Google Auth SSO without requiring the user to login again. Google provides a number of extra workflows for OAuth2 related to mobile that other providers don't, so I'm exploring those to see what I can come up with.
If I can find a way for Sidekick to get a token of some kind from the device's account manager that can be firmly verified by cpan-api, I will see about providing a patch for that. As part of this process, the cpan-api server may need/want to display a grant permissions form to verify that the user is willing to grant the phone application access to the user's CPAN profile.
@zostay do you need anything else here? Just trying to clean up older issues.
No, I've already discovered that I can't make it do what I'd like it to do. What would be most convenient for Android users would be to use the existing Twitter, Google, Github authenticators that come either built-in or with those installed apps and just make that work. However, to do that, Sidekick would have to use the same app ID that MetaCPAN uses to make it work.
So, unless CPAN Sidekick is adopted as part of MetaCPAN proper, there's nothing that can be done to make this work that way. The only solution is to let CPAN Sidekick be the login liason, which means I could nefarious things with their identity (as opposed to Twitter/Google/Github doing that), but that's the best I can do.
OK. Sounds good. I'll close this issue then. Thanks for the update. :)