Skip to content

OAuth 1.0 and 1.0a client #1422

merged 19 commits into from Mar 16, 2013

9 participants


No description provided.

Joomla! member

This looks pretty great already. You got a couple of uni test errs thou:



Yes, I know and I am trying to fix them. The fun fact is that locally the tests pass - the problem is at setting session the right way in tests.


Solved it, no errors now :)

@elinw elinw commented on an outdated diff Aug 3, 2012
+ {
+ $this->token = null;
+ }
+ }
+ $verifier = $this->input->get('oauth_verifier');
+ if (empty($verifier))
+ {
+ // Generate a request token.
+ $this->_generateRequestToken();
+ // Authenticate the user and authorise the app.
+ $this->_authorise();
+ }
+ // Callback
elinw added a note Aug 3, 2012

This should really have a blank line above the comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
pasamio commented Sep 27, 2012

@dianaprajescu Can you rename it to just oauth/client.php and we'll have oauth2/client.php. Unless someone is planning on implementing a 1.0 client (not 1.0a), this will be fine.

elinw commented Sep 27, 2012

Yes we do have someone working on OAuth1. It's commonly used when data are public (e.g Open Street Map and large govt databases) and also for widgets that phone home

pasamio commented Sep 27, 2012

Does it share a high level of code sharing with 1a or is it completely different like 2 appears to be with no ability to share? If it can share a significant chunk of code I think integrating it into the constructor and setting the behaviour that way and perhaps defaulting to 1a if that's the more predominant value then going forwards that way.

elinw commented Sep 28, 2012

It's extending 1a pretty extensively since really 1a is 1 plus. That sounds like a reasonable approach to me. I'd be happy to see what you're suggesting if Diana thinks it is workable.

pasamio commented Oct 1, 2012

Well the way I see it is we have two options:
1) If OAuth1 and OAuth1a don't share any code either we split them into their own packages. In a sense at the moment that's probably the path of least resistance.
2) If they do share some amount of code that we can re-use between the two, expanding through a constructor param that selects the appropriate version (1 or 1a) and mutates the object behaviour that way.

elinw commented Oct 2, 2012

In terms of the protocols they are almost the same but 1a adds to 1 to deal with the session fixation issue which is not relevant for 1 users. I recently read also that Dropbox uses OAuth1 not 1a.
Open Street Map apparently allows 1a to fall back to 1 and maybe others do too, which to me indicates that just letting it be a param makes sense.

I'm pretty sure the red summarizes the differences.

You an see from the above that the real reason people use 1 is that there are devices with no web browsers and and no keyboards or other input mechanisms so they need to use 1.


There are only few differences between OAuth 1.0 and 1.0a so I have included OAuth1.0 in this client, using a constructor param, like @pasamio said.

There are some problems with the unit test and I would appreciate some help. Locally the tests are passing with no problems, but in the pull tests results I currently get Segmentation fault. This is after my last commit, before it I was getting:
Session expire should be 20
Failed asserting that 900 matches expected 20.

I can't see how this is related to my code.


@dianaprajescu do you have any developer documentation for this PR?


@eddieajau no, I don't have any documentation.

@LouisLandry I have opened this PR 4 months ago, isn't that quite a long time? You should've gave me some feedback and collaborate on this if you were already working on something similar. It seems that I've wasted time for nothing. Both JTwitter and JLinkedin use this client and I was waiting for you guys to give me feedback and finally merge this PR in order to make PRs for JTwitter and JLinkedin.


@dianaprajescu the pull request I have opened does not conflict with this one. It is only implementing the server side of OAuth1. What you may see as a client class in that package is actually representing a "client application" from a server perspective. It is true that I would generally like us to take a slightly different approach on the OAuth clients. I spoke with Aaron about those ideas briefly at the Joomla World Conference. In short, I'd like the OAuth authentication piece be injected into a JHttp class instead of wrapping a JHttp class to allow OAuth authentication for requests. I would like for us to support this type of authentication in the JHttp class similar to how we support basic auth today. I'm very sorry that I haven't had/made the time to give more constructive feedback on this, but c'est la vie.


@LouisLandry Yes, the client class confused me, I haven't looked over it's content but the file is named oauth1/client.php, which is the same with my client. It makes sense to include this in a JHttp class, but for the moment wouldn't it be a good idea to have this OAuth client merged, just like Aaron's was until me or someone else has time to make the change?


@dianaprajescu could you consider writing some documentation about how to use this package please. For those of us that are new to oAuth (like me), it would be helpful to see how you intend developers to use it. A markdown file in /docs/manual/en-US/chapters/packages would be ideal. I certainly appreciate the work you have already put into this but for me I don't know how to review this because there is no documentation of any kind (you probably just need to recycle some of your blog posts from GSOC).

Also, a brief introduction in the description of this pull request would be helpful as the changelog is automatically generated from this information.

For what it's worth, Louis needs to do the same in his pull request ;)

Thanks in advance.


@eddieajau I wrote some documentation for the oAuth client. Let me know what you think.


Thanks @dianaprajescu. Do you do any examples of connecting to real services during GSOC (like an example of connecting to Twitter)?


@eddieajau here is the app I was using for testing the JTwitter package. This is the class that extends the JOAuth1Client. And here is an example of an authorised request.

@Buddhima Buddhima referenced this pull request Jan 2, 2013

JOpenstreetmap Package #1778

dianaprajescu added some commits Jul 31, 2012
@dianaprajescu dianaprajescu Start JOauth 1.0a client code.
Add JInput object to JOauth1aClient + Unit tests.

Get JHttp from Factory.

Session in tests

Fix test session

Destroy session when test ends

Move session destroy in teardown

Update strings to test ones

Change since tag to 12.2

Just for testing purpose

Add is_null in if condition

Update if condition with is_null

Change setToken method, throw $verifier for testing.

Set verifier to null

Use empty instead of isset.

Set input just before calling auth method.

Test input oauth_token value.

Update the input in test

Use strcmp

Add sprintf

Format string for testing.

Set input as value using reflection

Update test

Change 'key' to 'token'

Add if condition for throwing bad session

Remove empty from if condition.

Change DomainException message.

Rename file.
@dianaprajescu dianaprajescu Add blank line before comment. 60996fb
@dianaprajescu dianaprajescu Rename files.
Rename file to match oauth 2 client.

Rename test files too.
@dianaprajescu dianaprajescu Improve code coverage. bc7c4d3
@dianaprajescu dianaprajescu Remove unused method. Use 'scope' JRegistry option. b480437
@dianaprajescu dianaprajescu Rename auth method to authenticate. a6d6cbb
@dianaprajescu dianaprajescu Use JApplication::redirect() instead of JResponse. 8c36441
@dianaprajescu dianaprajescu Rename files. 23f526e
@dianaprajescu dianaprajescu Add OAuth 1.0 to the client. Change since tags. a842efe
@dianaprajescu dianaprajescu Fix mistake 76a72c5
@dianaprajescu dianaprajescu Setup $_SERVER 117ecab
@dianaprajescu dianaprajescu Include JApplicationWebInspector 784422f
@dianaprajescu dianaprajescu Improve code coverage 19f913a
@dianaprajescu dianaprajescu Don't include request's body in the oauth signature. 8792760
@dianaprajescu dianaprajescu Add some documentation 4e00f8d
@dianaprajescu dianaprajescu Make constructor param $version last. 1.0a is used more often
Change contructor param order in test file
@dianaprajescu dianaprajescu Fix CS errors
Remove trailing spaces
@dianaprajescu dianaprajescu Fix CS errors. f76ee93
@dianaprajescu dianaprajescu Update since tag. 94b6bec

I would like to bring this PR into your attention too. The JTwitter and JLinkedIn packages that are ready highly depend on the OAuth client. Moreover, the PR #1786 depends on it too.

elinw commented Jan 12, 2013

+1 and it opens up a lot of other possibilities.


+1 too. If you look at the "List of OAuth service providers" at you can see that most of OAuth providers are using OAuth 1.0 or 1.0a
Therefore adding OAuth 1.0 client would make developers life much easy and enable to develop packages for Joomla with OAuth 1.0 in future.


@dianaprajescu - first, major kudo's for hanging in there over six months and keeping this PR current. You appear to be someone who does not discourage easily. Tenacity comes in handy with open source. =)

Also, I've learned in many years of sometimes being confused as to why something is or isn't happening to pick up on subtle hints which, more often than not, are usually shared once. As I look back through this history, I can't help but wonder if you have you had a chance yet to address @LouisLandry 's concerns? If not, that might be helpful. It might also be useful to review Louis's code on the other PR (which was closed). Maybe there are ideas on approach you might borrow?

Thank you for your work, Diana, and for hanging in there.


Thanks, @AmyStephen ! I'm aware of what @LouisLandry said, but I also suggested to get it merged like this for the moment, until I have time to change it and nobody told me this can't be done. Right now I don't have the necessary time to work on this, so we should probably close this PR and I'll reopen it later.


@dianaprajescu Please don't do so on my account. Maybe a maintainer can comment on what they might be looking. I am just guessing.


@dianaprajescu Another idea is to post on the platform list and ask what might be needed to get this code in. If you don't have time, we could try to find someone to help. Getting some exposure on list could help get all the pieces moving right. If you do, I'll look for your post and see if there is something I might be able to do to help or if I can find something.


I'd hate to see this PR closed. I see a lot of support for it an not much opposition. What can we do to help get it merged?

elinw commented Jan 19, 2013

Just follow Louis's instructions and send a PR to @dianaprajescu


Might be worth joining the discussion Diana started on list a couple of days ago.

@dianaprajescu dianaprajescu referenced this pull request Mar 14, 2013

JLinkedin package #1847

@eddieajau eddieajau merged commit dc1ef58 into joomla:staging Mar 16, 2013
@Narimm Narimm pushed a commit to Narimm/OpenConnect that referenced this pull request Nov 26, 2013
@dianaprajescu dianaprajescu Oauth 1 client 154c63b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.