Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Newer
Older
100644 92 lines (70 sloc) 4.678 kb
4cd73a7 @softprops oauth rough draft
softprops authored
1 # Unfiltered OAuth
2
fecd5c1 @softprops readme notes
softprops authored
3 A implementation of an [OAuth](http://oauth.net/) [final 1.0 version][oauth_1_0] Provider for [Unfiltered](http://github.com/n8han/unfiltered#readme) servers.
4cd73a7 @softprops oauth rough draft
softprops authored
4
5 ## Usage
6
7 From a high level
8
9 object Main {
10 def main(args: Array[String]) {
11 val stores = new OAuthStores {
12 // ...
13 }
018875f @softprops added an oauth protected resource plan, updated oauth tests and added…
softprops authored
14 unfiltered.jetty.Http(8080)
15 .context("/oauth/") {
16 // oauth dance
17 _.filter(OAuth(stores))
18 }.context("/api") {
19 // auth filter
20 _.filter(Protected(stores))
21 .filter(new YourApi)
22 }.run
4cd73a7 @softprops oauth rough draft
softprops authored
23 }
24 }
018875f @softprops added an oauth protected resource plan, updated oauth tests and added…
softprops authored
25
fecd5c1 @softprops readme notes
softprops authored
26 ### OAuthStores
b4ee01c @softprops refactored user hosts responses to return a generic type, oauth paths…
softprops authored
27
4cd73a7 @softprops oauth rough draft
softprops authored
28 `OAuthStores` defines an interface for querying and creating externally dependent objects within the follow types of stores
29
fecd5c1 @softprops readme notes
softprops authored
30 #### NonceStore: Storage for nonces
4cd73a7 @softprops oauth rough draft
softprops authored
31
fecd5c1 @softprops readme notes
softprops authored
32 This trait defines one method a provider must implement
33 /** @return true if this is a valid unique combination for a nonce, false otherwise */
34 def put(consumer: String, timestamp: String, nonce: String): Boolean
35
36 #### TokenStore: Storage for Tokens (Unauthorized, Authorized, and Access)
37
38 This trait defines the following methods a provider must implement
39 /** generate a new key and secret tuple */
40 def generate: (String, String)
41 /** generate a new oauth verifier */
42 def generateVerifier: String
43 /** store a token. */
44 def put(token: Token): Token
45 /** retrieve a token.
46 * @return one of None, Some(RequestToken), Some(AuthorizedRequestToken), Some(AccessToken) */
47 def get(tokenId: String): Option[Token]
48 /** delete a token */
49 def delete(tokenId: String): Uni
50
51 #### ConsumerStore: Storage for Consumers
52
53 This trait defines the following methods a provider must implement
54 /** @return Some(Consumer) if available, None otherwise */
55 def get(key: String): Option[Consumer]
56
57 #### UserHost: Host Application hooks and UI templates
58
018875f @softprops added an oauth protected resource plan, updated oauth tests and added…
softprops authored
59 This trait defines the following methods a provider must implement
fecd5c1 @softprops readme notes
softprops authored
60
61 /** @return Some(user) if user is logged in, None otherwise */
62 def current[T](r: HttpRequest[T]): Option[UserLike]
63 /** @return true if app logic determines this request was accepted, false otherwise */
64 def accepted[T](token: String, r: HttpRequest[T]): Boolean
65 /** @return true if app logic determines this request was denied, false otherwise */
66 def denied[T](token: String, r: HttpRequest[T]): Boolean
67 /** @return a view asking the user to log in */
68 def login(token: String): Html
69 /** @return a view to show a user to provide a consumer with a verifier */
70 def oobResponse(verifier: String): Html
71 /** @return http response for confirming the user's denial was processed */
72 def deniedConfirmation(consumer: Consumer): Html
73 /** @return a view asking the user to authorize the provided consumer access */
74 def requestAcceptance(token: String, consumer: Consumer): Html
75
76 ## Implementation Notes
77
78 ### n access_tokens per user + consumer
b4ee01c @softprops refactored user hosts responses to return a generic type, oauth paths…
softprops authored
79 The OAuth [final 1.0 version][oauth_1_0] spec does not specify the behavior for a provider in the case
80 of the same consumer requesting multiple access_tokens for the same user. One option is to always return the same token. Another option is to delete previous access tokens. While these are both viable options, if a provider would choose to delete previous access tokens the user may be forced to reauthenticate if they were authenticaated with the same consumer in multiple locations. If the server always returned the same access token for the same consumer and user combination, the same consumer used a separate location would have to go through a few needless steps in requesting request_tokens adding additional overhead for the provider.
fecd5c1 @softprops readme notes
softprops authored
81
82 This implementation opts to not stand in the way and allows for multiple access_tokens per user and consumer combination. This can be usefull in the case were a user may be authenticated under the same application in multiple locations, each location having its own access_token. This provides a little more flexibility with respect to providing the end user the capability to revoke access to a targetted consumer verses all at once. The only drawback to this approach is that the user host of the provider will be responsible for indicating that there can be multiple connections for a given user and consumer and being able to differentiate them. This decision base based on a discussion on the [twitter api mailing list](http://code.google.com/p/twitter-api/issues/detail?id=372).
4cd73a7 @softprops oauth rough draft
softprops authored
83
84 # TODO
85
86 * work on non-oob testing
87 * support rsa sig method
88 * examples
fecd5c1 @softprops readme notes
softprops authored
89 * more tests
90
018875f @softprops added an oauth protected resource plan, updated oauth tests and added…
softprops authored
91 [oauth_1_0]: http://tools.ietf.org/html/rfc5849
Something went wrong with that request. Please try again.