Tuesday May 18, 2010

OAuth and OpenID: take2

Lot's of activity in the OpenID and OAuth space recently. Both OAuth and OpenID have suffered from bad user experience, bad developer experience and low adoption. Now they're in the process of re-invention and folks from both Google and Facebook are involved. Here's my reading list so far on the topic:

Thursday Mar 26, 2009

Tuesday Mar 24, 2009

OAuth for ROME Propono

ROME logo

Yesterday I wrote about OAuth support in the upcoming Roller 5.0 release. Today I'm following up with a post about OAuth support in ROME Propono.

As you may remember, ROME Propono is a subproject of ROME, the Java-based RSS/Atom feed library. ROME Propono includes an AtomPub server library and an AtomPub client. I added OAuth support to the AtomPub client and in this post, I'll show how you can use it to post to the Roller 5.0-dev (i.e. the snapshot build that I made available yesterday).

ROME 1.0 and coming soon: ROME Propono 1.0

In case you haven't already heard, thanks to the recent hard work of Nick Lothian, ROME 1.0 is now available. You can find downloads at rome.dev.java.net and a list of changes in the Change Log there. To celebrate this momentous event, I'm planning on releasing ROME Propono 1.0 as well, and in preparation, I've made a release candidate available. The new Propono includes ROME 1.0 and support for OAuth. You can get it via the links below:

rome-propono-1.0RC1.tar.gz (2.0 mb)

rome-propono-1.0RC1.zip (3 mb)

Posting to Roller via AtomPub and OAuth

To use the Propono AtomPub client, you place the Propono jars in your Java VM classpath and then call the AtomClientFactory to get started, as described in the ROME Propono 1.0 Javadocs.

Below is a Groovy example that shows how to post a blog entry to Roller via AtomPub and OAuth. You can get the consumer key, secret and URLs you need to call your instance of Roller from the OAuth Credentials page in the Roller admin interface.


  import com.sun.syndication.propono.atom.client.*
  import com.sun.syndication.feed.atom.*

  def authStrategy = new OAuthStrategy(
    "roller",                               // username
    "55132608a2fb68816bcd3d1caeafc933",     // consumer key
    "bb420783-fdea-4270-ab83-36445c18c307", // consumer secret
    "HMAC-SHA1",                            // key type
    "http://blogs.example.com/roller-services/oauth/requestToken",
    "http://blogs.example.com/roller-services/oauth/authorize",
    "http://blogs.example.com/roller-services/oauth/accessToken")

  // get the AtomPub service
  def appService = AtomClientFactory.getAtomService(
    "http://blogs.example.com/roller-services/app", authStrategy)

  // find workspace of my blog
  def blog = appService.findWorkspace("Blogging Roller")

  // find collecton that will accept entries
  def entries = blog.findCollection(null, "application/atom+xml;type=entry")

  // create and post an entry
  def entry = entries.createEntry()
  entry.title = "TestPost"
  def content = new Content()
  content.setValue("This is a test post. w00t!")
  entry.setContent([content])
  entries.addEntry(entry)

If you have questions or feedback about ROME Propono 1.0 RC1, please post them to the ROME dev mail list and I'll do my best to respond there.

Monday Mar 23, 2009

OAuth for AtomPub in Roller

powered by Roller badge

Over the past month or so I've been adding OAuth support to just about every open source project that I can commit to. I added OAuth support to Roller so that you can now use OAuth to protect Roller's AtomPub server and other things. I also added OAuth support to ROME Propono's AtomPub client so you can now use Propono to post to Roller (more about that later). Here's a quick overview of how OAuth in Roller works.

NOTE that this post applies to Roller 5.0, which has not yet been officially released.

Setting up OAuth for AtomPub in Roller

If you want to use OAuth with AtomPub on your Roller site, go to the Server Admin page and find the Web Services section, enable AtomPub and specify 'oauth' as the authentication mechanism, like so:

OAuth config in Roller 5.0-dev

Getting your OAuth key, secret and URLs

Once you've done the setup, you'll find an OAuth Credentials link on the Roller Main Menu page, which will lead you a page like the one below showing your OAuth consumer key & secret and, if you are a site admin user, the site-wide key & secret. Currently, there's only one set of site-wide credentials; I plan to fix that.

OAuth keys page in Roller 5.0-dev

Of course, those aren't my real keys. You'll want to keep your OAuth keys secret as they can enable anybody to access your Roller account via AtomPub.

Want to try it yourself?

I mentioned that Roller 5.0 has not yet been released and that's true. There's still a lot of work to be done on 5.0, but that doesn't mean you can't get your hands on the code and binaries now. To make it easy, I've made an unofficial snapshot version of Roller 5.0-dev available for testing purposes only. It's what I'm running on my site. You can get it here in two flavors:

apache-roller-5.0-dev-20090321-SNAPSHPOT.tar.gz (31 mb)

apache-roller-5.0-dev-20090321-SNAPSHPOT.zip (31 mb)

The instructions in the old Roller 4.0 installation guide should work fine, so follow them to install and configure the 5.0-dev SNAPSHOT. Please send questions and feedback to either the Roller dev mail list and I'll do my best to respond there.

You'll also need an OAuth capable AtomPub client. More on that topic tomorrow...

Sidebar: What is OAuth and why should you care?

OAuth logo

I'm going to be following up my OAuth everywhere! post, with several more OAuth related posts this week. So, just in case you are wondering "why is Dave going off on this cockamamie OAuth tangent?", I'll take some time now to explain a little about OAuth to help you understand.

OAuth is a emerging protocol that one web site can use to access your data on another website without asking you to reveal your username and password. For example, when the sinister BuddyNet9000(TM) Social Network site wants to access your GMail account so it can spam your "friends" on your behalf, you can use OAuth to give it access without telling it your username and password. Why risk your GMail security when all you want to do is spam some people? There are less snarky examples, but that one makes the point well, I think.

There's a good end-user oriented introduction on OAuth.net titled Beginner's Guide to OAuth: Protocol Workflow. OAuth is not that widely deployed yet, and is not perfect, but it is emerging and going the IETF standards route.

I'm interested in OAuth because it's part of the OpenSocial spec, used to authorize access to the OpenSocial REST API and to enable OpenSocial Gadgets to call out to OAuth protected resources. Also, because it's used to protect AtomPub-based services, including the Google Data APIs. I needed to learn about it for my Roller and SocialSite work and if you're going to be doing much OpenSocial work, you'll need to learn about it too.

Sunday Mar 22, 2009

ApacheCon EU 2009!

$entry.displayContent($url.entry($entry.anchor))

Tuesday Jul 08, 2008

Latest Links