OAuth for AtomPub in Roller
Over the past month or so I've been adding OAuth support to just about every open source project that I can commit to. I added OAuth support to Roller so that you can now use OAuth to protect Roller's AtomPub server and other things. I also added OAuth support to ROME Propono's AtomPub client so you can now use Propono to post to Roller (more about that later). Here's a quick overview of how OAuth in Roller works.
NOTE that this post applies to Roller 5.0, which has not yet been officially released.
Setting up OAuth for AtomPub in Roller
If you want to use OAuth with AtomPub on your Roller site, go to the Server Admin page and find the Web Services section, enable AtomPub and specify 'oauth' as the authentication mechanism, like so:
<img src="http://rollerweblogger.org/roller/resource/rol_oauthconfig.jpg" alt="OAuth config in Roller 5.0-dev" />Getting your OAuth key, secret and URLs
Once you've done the setup, you'll find an OAuth Credentials link on the Roller Main Menu page, which will lead you a page like the one below showing your OAuth consumer key & secret and, if you are a site admin user, the site-wide key & secret. Currently, there's only one set of site-wide credentials; I plan to fix that.
Of course, those aren't my real keys. You'll want to keep your OAuth keys secret as they can enable anybody to access your Roller account via AtomPub.
Want to try it yourself?
I mentioned that Roller 5.0 has not yet been released and that's true. There's still a lot of work to be done on 5.0, but that doesn't mean you can't get your hands on the code and binaries now. To make it easy, I've made an unofficial snapshot version of Roller 5.0-dev available for testing purposes only. It's what I'm running on my site. You can get it here in two flavors:
apache-roller-5.0-dev-20090321-SNAPSHPOT.tar.gz (31 mb)
apache-roller-5.0-dev-20090321-SNAPSHPOT.zip (31 mb)
The instructions in the old Roller 4.0 installation guide should work fine, so follow them to install and configure the 5.0-dev SNAPSHOT. Please send questions and feedback to either the Roller dev mail list and I'll do my best to respond there.
You'll also need an OAuth capable AtomPub client. More on that topic tomorrow...
Sidebar: What is OAuth and why should you care?
I'm going to be following up my OAuth everywhere! post, with several more OAuth related posts this week. So, just in case you are wondering "why is Dave going off on this cockamamie OAuth tangent?", I'll take some time now to explain a little about OAuth to help you understand.
OAuth is a emerging protocol that one web site can use to access your data on another website without asking you to reveal your username and password. For example, when the sinister BuddyNet9000(TM) Social Network site wants to access your GMail account so it can spam your "friends" on your behalf, you can use OAuth to give it access without telling it your username and password. Why risk your GMail security when all you want to do is spam some people? There are less snarky examples, but that one makes the point well, I think.
There's a good end-user oriented introduction on OAuth.net titled Beginner's Guide to OAuth: Protocol Workflow. OAuth is not that widely deployed yet, and is not perfect, but it is emerging and going the IETF standards route.
I'm interested in OAuth because it's part of the OpenSocial spec, used to authorize access to the OpenSocial REST API and to enable OpenSocial Gadgets to call out to OAuth protected resources. Also, because it's used to protect AtomPub-based services, including the Google Data APIs. I needed to learn about it for my Roller and SocialSite work and if you're going to be doing much OpenSocial work, you'll need to learn about it too.