Skip to content

OAuth support #84

rainhead opened this Issue Apr 30, 2011 · 22 comments

8 participants


Hi. Sorry to be a douche on Twitter. I meant that this seems to be a fairly active project, but I couldn't understand what people would be using it for absent OAuth support.

So, here's a feature request. I'm happy to work on adding OAuth support, if you can give me some direction. The options that have occurred to me are:

  • build a new, full OAuth implementation custom for RestKit
  • allow implementers to munge outgoing requests just before they are sent
  • allow implementers to swap RKRequest out for another HTTP implemetation
The RestKit Project member

It looks like most people are developing clients for their own web services, rather than integrating with Twitter, Foursquare, etc.

It should be pretty straightforward to port an existing OAuth implementation into a form usable with RestKit, especially if it relied on NSURLConnection. We could probably even just initialize OAuthConsumer by passing the data in from the RKClient it needs to do its thing.

I can try to sketch out an implementation approach if you are serious about tackling this. OAuth is strategic for the roadmap, but I've got three active RK projects at the moment that need to be brought home before it can find a place on my priorities.

rainhead commented May 2, 2011

I may be naïve about how much work this will be, but I suspect that making RestKit do what I want and adapting our project to use it will be faster than (essentially) recreating much of RestKit's functionality on top of our existing network layer (OAuthConsumer).

Let me look at the code base and see how confident I feel about this, and confer with a coworker. I'll get back to you today.

rainhead commented May 2, 2011

Actually, I'm increasingly convinced of the advantages of using RestKit, and hence the cost of not using it. In the worst case, we can fork RestKit and gracelessly hack OAuth support onto it, but I suspect doing it right won't be that much more work.

Would you mind describing the approach you had in mind?

The RestKit Project member

I just did a bit of digging around and came across the PlainOAuth library:

It looks attractive to me because:

  • Recently updated
  • Has sample code
  • Has gone through a few API revisions
  • Does not include an HTTP library, meant to be used with another HTTP provider

We should be able to take his core, connect the dots between the HTTP layer and his interface, and roll it up into an optional RK target library and call it a day.

rainhead commented May 3, 2011

OK, I apologize, but I think we're going to simplify things and use straight Three20 + OAuthConsumer.

The RestKit Project member

From the mailing list, somebody else poking at this:

Hi all, first time posting to this group.  I just wanted to let
everyone (especially the maintainers) know that I've created a simple
patch to hack in very simple OAuth support.  My patch does the
absolute bare minimum of OAuth.  It doesn't do any of the token
negotiation/authorization part, it just lets you set the four
previously authenticated tokens and adds the appropriate Authorization
header to any requests.

I'm sure that it's not done to the current RestKit coding standards,
but it works well enough for making requests to the API that I have to
integrate with, so I thought I'd share it with you guys in case it
made a useful starting point for future OAuth work.  If you guys want
to give me some feedback, I'd be happy to work with you guys to
improve it enough to merge it into the trunk.

The patch can be found here:

I also have to give most of the credit to Loren Brichter of Tweetie
fame for releasing his basic OAuth code here:  My code is almost
entirely based on his OAuth release, although I had to fix a few bugs
to get it working with my server.

If you guys have any questions or comments, please let me know.

- Ian
edanuff commented Jun 13, 2011

If you guys are still thinking about this, I found this while googling for iPhone oAuth libraries:

It looks like the simplest possible oAuth implementation so might be a quick path to integration.

The RestKit Project member

Hah! That is an excellently small implementation. We probably will pull this in.


Hi! I had integrated already the TDOAuth library into the last version of RestKit in the method 'fireAsynchronousRequest' of the RKRequest class. Now I'm trying to rebuild the NSURLRequest object from the parameters from RKClient. Hopefully I'll have the patch soon.

kaiwu commented Jul 13, 2011

Oauth is simply indispensable for REST, without noticing the effort of this ticket, i also recently patched the RestKit so that it works with Oauth1.0, by largely refer to the OAuthConsumer. It is not the coding standard of RestKit so i've not asked for pull request. Just take a short look if anyone is interested, at my commit of the fork . I am looking forward for the official RestKit OAuth implementation :-)


I too implemented a (hackish) version of RestKit+OAuth using the TDOAuth library. I tied it into the RKRequest object, and added some OAuth related attributes to RKClient as well (a flag to use OAuth, plus the four OAuth tokens/secrets needed to sign the requests). Then in RKRequest, I create a dummy TDOAuth request with the RKRequest's params, and copy the OAuth header it generates into the RKRequest RestKit is about to send.

I'll try to publish a patch/fork of this when I have some spare time.


I had done the integration of the TDOAuth library with the last release of RestKit. You can check it out in my repo:


I would love to contribute with the code for the framework. How can I do it? Thanks!

jk commented Aug 17, 2011

Did you see LROOAuth2Client and the corresponding blog post about it? I haven't been able to take a deeper look, but it looks promising since he already implements things like the refresh tokens… but it relies on ASIHTTPRequest.

jk commented Aug 17, 2011

I'm relatively new in the OAuth2 domain. The last couple drafts didn't speak about the web server or device flows like Eran Hammer-Lahav did in his first proposal. I think the web server flow now gets called »authorization code«. Does the »client credentials« correspond to the former device flow? I'm not so sure, for me the client credentials corresponds to the former user-agent flow.

I recently tinkerd with the authorization code »flow« a lot. So my priority is the authorization code flow, IMO is this the most common one, since most of the OAuth2 consumers are still web/browser based, so that a lot of APIs use that flow. But since the flows aren't that different we can easily support more than one?

jk commented Aug 18, 2011

I've found the time to investigate a bit further in the several drafts I mentioned in my previous comment. It looks like the device flow isn't part of draft-20 (which is called the final draft before going RFC) anymore. The web server flow is the main flow, now called »authorization code«.
So I suggest we should focus on the main flow. The draft lets it open to the implementation to use other grant types as extension - perhaps that should be the new home for the device flow?


I love that idea! If you want we can talk in the IRC channel to arrange the details of the implementation? Or if you want, we can use gtalk instead.

edanuff commented Sep 11, 2011

What's the current status of the TDOAuth integration in the master branch? At the moment, I just need oAuth 1.0 for 2-legged auth, but will eventually need oAuth 2.0. Should I use rodchile's fork for anything oAuth-related?


This week should be push the OAuth support into the master branch of RestKit. You can use also my fork, getting the "restkit-update"[1] branch, which is fully updated with the latest version of the framework.


rodchile, the one you will be pushing to the master branch will have oAuth2.0?


@therekz yeah! You'll able to retrieve a valid access_token from an authorization_code like is described in the draft 20 of OAuth2, and of course consume resources with it.


@rodhile, okay then! I'll be waiting for it! RestKit needs that so bad!

@blakewatters blakewatters added a commit that closed this issue Sep 20, 2011
@blakewatters blakewatters Refactored OAuth support for merge into master. fixes #84, #211
Cleaned up @rodchile's excellent work integration OAuth 1.0 and 2.0 into RestKit. Changes
are as follows:

* Introduced new RKRequestAuthenticationType to replace the forceBasicAuthentication and other
    methods for influencing how authorization works.
* Moved TDOAuth code into Vendor/
* Renamed authorization code flow classes and delegate methods for clarity.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.