Skip to content
This repository

OAuth 1.0 and 1.0a client #1422

Merged
merged 19 commits into from about 1 year ago

9 participants

Diana Neculai Rouven Weßling Sam Moffatt elinw Andrew Eddie Louis Landry Buddhima Wijeweera AmyStephen Matt Thomas
Diana Neculai

No description provided.

Rouven Weßling
Collaborator

This looks pretty great already. You got a couple of uni test errs thou: http://developer.joomla.org/pulls/pulls/1422.html

Diana Neculai

Thanks!

Yes, I know and I am trying to fix them. The fun fact is that locally the tests pass - the problem is at setting session the right way in tests.

Diana Neculai

Solved it, no errors now :)

libraries/joomla/oauth/1aClient.php
((84 lines not shown))
  84
+			{
  85
+				$this->token = null;
  86
+			}
  87
+		}
  88
+
  89
+		$verifier = $this->input->get('oauth_verifier');
  90
+
  91
+		if (empty($verifier))
  92
+		{
  93
+			// Generate a request token.
  94
+			$this->_generateRequestToken();
  95
+
  96
+			// Authenticate the user and authorise the app.
  97
+			$this->_authorise();
  98
+		}
  99
+		// Callback
1
elinw
elinw added a note August 03, 2012

This should really have a blank line above the comment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Sam Moffatt

@dianaprajescu Can you rename it to just oauth/client.php and we'll have oauth2/client.php. Unless someone is planning on implementing a 1.0 client (not 1.0a), this will be fine.

elinw

Yes we do have someone working on OAuth1. It's commonly used when data are public (e.g Open Street Map and large govt databases) and also for widgets that phone home

Sam Moffatt

Does it share a high level of code sharing with 1a or is it completely different like 2 appears to be with no ability to share? If it can share a significant chunk of code I think integrating it into the constructor and setting the behaviour that way and perhaps defaulting to 1a if that's the more predominant value then going forwards that way.

elinw

It's extending 1a pretty extensively since really 1a is 1 plus. That sounds like a reasonable approach to me. I'd be happy to see what you're suggesting if Diana thinks it is workable.

Sam Moffatt

Well the way I see it is we have two options:
1) If OAuth1 and OAuth1a don't share any code either we split them into their own packages. In a sense at the moment that's probably the path of least resistance.
2) If they do share some amount of code that we can re-use between the two, expanding through a constructor param that selects the appropriate version (1 or 1a) and mutates the object behaviour that way.

elinw

In terms of the protocols they are almost the same but 1a adds to 1 to deal with the session fixation issue which is not relevant for 1 users. http://oauth.net/core/1.0/ I recently read also that Dropbox uses OAuth1 not 1a.
Open Street Map apparently allows 1a to fall back to 1 and maybe others do too, which to me indicates that just letting it be a param makes sense.

http://wiki.oauth.net/w/page/12238555/Signed%20Callback%20URLs

I'm pretty sure the red summarizes the differences.
http://wiki.oauth.net/w/page/12238535/OAuth%20Session%20Fixation%20Advisory

You an see from the above that the real reason people use 1 is that there are devices with no web browsers and and no keyboards or other input mechanisms so they need to use 1.

Diana Neculai

There are only few differences between OAuth 1.0 and 1.0a so I have included OAuth1.0 in this client, using a constructor param, like @pasamio said.

There are some problems with the unit test and I would appreciate some help. Locally the tests are passing with no problems, but in the pull tests results I currently get Segmentation fault. This is after my last commit, before it I was getting:
JSessionTest::testGetExpire
Session expire should be 20
Failed asserting that 900 matches expected 20.
.../tests/suites/unit/joomla/session/JSessionTest.php:131

I can't see how this is related to my code.

Andrew Eddie
Owner

@dianaprajescu do you have any developer documentation for this PR?

Diana Neculai

@eddieajau no, I don't have any documentation.

@LouisLandry I have opened this PR 4 months ago, isn't that quite a long time? You should've gave me some feedback and collaborate on this if you were already working on something similar. It seems that I've wasted time for nothing. Both JTwitter and JLinkedin use this client and I was waiting for you guys to give me feedback and finally merge this PR in order to make PRs for JTwitter and JLinkedin.

Louis Landry

@dianaprajescu the pull request I have opened does not conflict with this one. It is only implementing the server side of OAuth1. What you may see as a client class in that package is actually representing a "client application" from a server perspective. It is true that I would generally like us to take a slightly different approach on the OAuth clients. I spoke with Aaron about those ideas briefly at the Joomla World Conference. In short, I'd like the OAuth authentication piece be injected into a JHttp class instead of wrapping a JHttp class to allow OAuth authentication for requests. I would like for us to support this type of authentication in the JHttp class similar to how we support basic auth today. I'm very sorry that I haven't had/made the time to give more constructive feedback on this, but c'est la vie.

Diana Neculai

@LouisLandry Yes, the client class confused me, I haven't looked over it's content but the file is named oauth1/client.php, which is the same with my client. It makes sense to include this in a JHttp class, but for the moment wouldn't it be a good idea to have this OAuth client merged, just like Aaron's was until me or someone else has time to make the change?

Andrew Eddie
Owner

@dianaprajescu could you consider writing some documentation about how to use this package please. For those of us that are new to oAuth (like me), it would be helpful to see how you intend developers to use it. A markdown file in /docs/manual/en-US/chapters/packages would be ideal. I certainly appreciate the work you have already put into this but for me I don't know how to review this because there is no documentation of any kind (you probably just need to recycle some of your blog posts from GSOC).

Also, a brief introduction in the description of this pull request would be helpful as the changelog is automatically generated from this information.

For what it's worth, Louis needs to do the same in his pull request ;)

Thanks in advance.

Diana Neculai

@eddieajau I wrote some documentation for the oAuth client. Let me know what you think.

Andrew Eddie
Owner

Thanks @dianaprajescu. Do you do any examples of connecting to real services during GSOC (like an example of connecting to Twitter)?

Diana Neculai

@eddieajau here is the app I was using for testing the JTwitter package. This is the class that extends the JOAuth1Client. And here is an example of an authorised request.

added some commits July 31, 2012
Diana Neculai Start JOauth 1.0a client code.
Add JInput object to JOauth1aClient + Unit tests.

Get JHttp from Factory.

Session in tests

Fix test session

Destroy session when test ends

Move session destroy in teardown

Update strings to test ones

Change since tag to 12.2

Just for testing purpose

Add is_null in if condition

Update if condition with is_null

Change setToken method, throw $verifier for testing.

Set verifier to null

Use empty instead of isset.

Set input just before calling auth method.

Test input oauth_token value.

Update the input in test

Use strcmp

Add sprintf

Format string for testing.

Set input as value using reflection

Update test

Change 'key' to 'token'

Add if condition for throwing bad session

Remove empty from if condition.

Change DomainException message.

Rename file.
0479ff9
Diana Neculai Add blank line before comment. 60996fb
Diana Neculai Rename files.
Rename file to match oauth 2 client.

Rename test files too.
fe6d74a
Diana Neculai Improve code coverage. bc7c4d3
Diana Neculai Remove unused method. Use 'scope' JRegistry option. b480437
Diana Neculai Rename auth method to authenticate. a6d6cbb
Diana Neculai Use JApplication::redirect() instead of JResponse. 8c36441
Diana Neculai Rename files. 23f526e
Diana Neculai Add OAuth 1.0 to the client. Change since tags. a842efe
Diana Neculai Fix mistake 76a72c5
Diana Neculai Setup $_SERVER 117ecab
Diana Neculai Include JApplicationWebInspector 784422f
Diana Neculai Improve code coverage 19f913a
Diana Neculai Don't include request's body in the oauth signature. 8792760
Diana Neculai Add some documentation 4e00f8d
Diana Neculai Make constructor param $version last. 1.0a is used more often
Change contructor param order in test file
96d3f6c
Diana Neculai Fix CS errors
Remove trailing spaces
f6f06e2
Diana Neculai Fix CS errors. f76ee93
Diana Neculai Update since tag. 94b6bec
Diana Neculai

I would like to bring this PR into your attention too. The JTwitter and JLinkedIn packages that are ready highly depend on the OAuth client. Moreover, the PR #1786 depends on it too.

elinw

+1 and it opens up a lot of other possibilities.

Buddhima Wijeweera

+1 too. If you look at the "List of OAuth service providers" at http://en.wikipedia.org/wiki/OAuth you can see that most of OAuth providers are using OAuth 1.0 or 1.0a
Therefore adding OAuth 1.0 client would make developers life much easy and enable to develop packages for Joomla with OAuth 1.0 in future.

AmyStephen

@dianaprajescu - first, major kudo's for hanging in there over six months and keeping this PR current. You appear to be someone who does not discourage easily. Tenacity comes in handy with open source. =)

Also, I've learned in many years of sometimes being confused as to why something is or isn't happening to pick up on subtle hints which, more often than not, are usually shared once. As I look back through this history, I can't help but wonder if you have you had a chance yet to address @LouisLandry 's concerns? If not, that might be helpful. It might also be useful to review Louis's code on the other PR (which was closed). Maybe there are ideas on approach you might borrow?

Thank you for your work, Diana, and for hanging in there.

Diana Neculai

Thanks, @AmyStephen ! I'm aware of what @LouisLandry said, but I also suggested to get it merged like this for the moment, until I have time to change it and nobody told me this can't be done. Right now I don't have the necessary time to work on this, so we should probably close this PR and I'll reopen it later.

AmyStephen

@dianaprajescu Please don't do so on my account. Maybe a maintainer can comment on what they might be looking. I am just guessing.

AmyStephen

@dianaprajescu Another idea is to post on the platform list and ask what might be needed to get this code in. If you don't have time, we could try to find someone to help. Getting some exposure on list could help get all the pieces moving right. If you do, I'll look for your post and see if there is something I might be able to do to help or if I can find something.

Matt Thomas
Owner

I'd hate to see this PR closed. I see a lot of support for it an not much opposition. What can we do to help get it merged?

elinw

Just follow Louis's instructions and send a PR to @dianaprajescu

AmyStephen

Might be worth joining the discussion Diana started on list a couple of days ago.

https://groups.google.com/d/topic/joomla-dev-platform/xddM8195hpo/discussion

Diana Neculai dianaprajescu referenced this pull request March 14, 2013
Merged

JLinkedin package #1847

Andrew Eddie eddieajau merged commit dc1ef58 into from March 15, 2013
Andrew Eddie eddieajau closed this March 15, 2013
BenC Narimm referenced this pull request from a commit in Narimm/OpenConnect January 02, 2013
Diana Neculai Oauth 1 client 154c63b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 19 unique commits by 1 author.

Jan 11, 2013
Diana Neculai Start JOauth 1.0a client code.
Add JInput object to JOauth1aClient + Unit tests.

Get JHttp from Factory.

Session in tests

Fix test session

Destroy session when test ends

Move session destroy in teardown

Update strings to test ones

Change since tag to 12.2

Just for testing purpose

Add is_null in if condition

Update if condition with is_null

Change setToken method, throw $verifier for testing.

Set verifier to null

Use empty instead of isset.

Set input just before calling auth method.

Test input oauth_token value.

Update the input in test

Use strcmp

Add sprintf

Format string for testing.

Set input as value using reflection

Update test

Change 'key' to 'token'

Add if condition for throwing bad session

Remove empty from if condition.

Change DomainException message.

Rename file.
0479ff9
Diana Neculai Add blank line before comment. 60996fb
Diana Neculai Rename files.
Rename file to match oauth 2 client.

Rename test files too.
fe6d74a
Diana Neculai Improve code coverage. bc7c4d3
Diana Neculai Remove unused method. Use 'scope' JRegistry option. b480437
Diana Neculai Rename auth method to authenticate. a6d6cbb
Diana Neculai Use JApplication::redirect() instead of JResponse. 8c36441
Diana Neculai Rename files. 23f526e
Diana Neculai Add OAuth 1.0 to the client. Change since tags. a842efe
Diana Neculai Fix mistake 76a72c5
Diana Neculai Setup $_SERVER 117ecab
Diana Neculai Include JApplicationWebInspector 784422f
Diana Neculai Improve code coverage 19f913a
Diana Neculai Don't include request's body in the oauth signature. 8792760
Diana Neculai Add some documentation 4e00f8d
Diana Neculai Make constructor param $version last. 1.0a is used more often
Change contructor param order in test file
96d3f6c
Diana Neculai Fix CS errors
Remove trailing spaces
f6f06e2
Diana Neculai Fix CS errors. f76ee93
Diana Neculai Update since tag. 94b6bec
Something went wrong with that request. Please try again.