Blogging Roller

OAuth and OpenID: take2

Dave Johnson — Tue, 18 May 2010 13:48:47 +0000

Lot's of activity in the OpenID and OAuth space recently. Both OAuth and OpenID have suffered from bad user experience, bad developer experience and low adoption. Now they're in the process of re-invention and folks from both Google and Facebook are involved. Here's my reading list so far on the topic:

IETF OAuth working group - The OAuth 2.0 Protocol - draft-ietf-oauth-v2-05 is the latest draft of OAuth 2.0, published about two weeks ago.
Eran Hammer-Lahav - Introducing OAuth 2.0 is an excellent overview of what's different and new about OAuth 2.0, listing the six new flows that are supported including a username/password flow.
David Recordon (Facebook) - OpenID Connect: A strawman... is a proposal for "OpenID Connect" a standard way to do what Facebook Connect and Google Friend Connect today, allow users to login sites with either their Facebook, Google or other identity provider credentials.
Chris Messina (Google) - Combining OpenID and OAuth with OpenID Connect covers the thinking behind OpenID Connect and the expansion of the "OpenID brand."
Michael Calore (WebMonkey) - New ‘OpenID Connect’ Proposal Could Solve Many of the Social Web’s Woes covers motivations behind OpenID Connect, problems with OAuth and OpenID.
Joseph Holsten - Your New New Web Identity another nice overview of the new OpenID and OAuth ideas, pushes back against dropping/reinventing of OpenID Attribute Exchange.
Tantek Celic - I'm calling bullshit on #OpenID Connect. Still too complex, ... is about one run-on tweet's worth of contructive criticism

OAuth everywhere (continued)

Dave Johnson — Thu, 26 Mar 2009 02:00:00 +0000

In my earlier OAuth everywhere post I explained at a high level "how I got a Roller Gadget working, one that uses OAuth to call Roller and enables Roller to use OAuth to call back to the social network." I ended with some unanswered questions:

How do I add my gadget to SocialSite so users can install and use it?
How does SocialSite get the Consumer Key and Secret needed for calling Roller?
How does Roller get the Consumer Key and Secret needed for calling SocialSite?
How does the user authorize Roller's access to his Profile information in SocialSite?
When is OAuth support coming to the Roller trunk and can you use it for AtomPub?

(that last question was answered in OAuth for AtomPub in Roller earlier this week)

Now that I've wrapped up my work on OAuth in SocialSite and OAuth in Roller, I'm prepared to answer those questions. I'll do it by reviewing how I developed my Social Roller gadget and set it up to work on http://rollerweblogger.org, my Roller and SocialSite powered site.

Along the way, I'll provide links to source code and screen-shots. I'll be referring to the diagram from first post, so I'll reproduce it here for the sake of convenience:

NOTE: this post is based on the current code in the Project SocialSite SVN trunk. The things described below WILL NOT work with the SocialSite M3 release.

Step 1 - Develop an OpenSocial Application#

My first step was to develop an OpenSocial application for Roller. This application is made up of the three parts listed below. These are the parts show in light-blue in the diagram above.

An OpenSocial Gadget for Roller that a user can install into his SocialSite profile. An OpenSocial Gadget is defined by Gadget Specification, an XML file with the metadata, HTML, CSS and JavaScript that render the gadget's user interface. I developed my gadget as a Roller page template and you can view it's source code here: gadget.xml
A gadget setup page, a new JSP page in Roller that is called by the gadget to enable and disable Activity posting. This JSP page is protected by OAuth and returns data in JSON format to the gadget. View the source code here setupgadget.jsp
A Roller Task that runs periodically, checks to see if any gadget users have created new blog posts and if they have, posts a Activity to SocialSite for each, by calling the OAuth-protected OpenSocial REST API provided by SocialSite. View the source code here SocialRollerTask.java

Step 2 - Register gadget with SocialSite#

This section answers the question "How do I add my gadget to SocialSite so users can install and use it?"

My next step was to register my application. Remember that SocialSite is intended to add social features to existing web sites and has very little user interface of its own, it's mostly made up of gadgets. So, the way you register a new application on a SocialSite-enabled site is to sign-up as a user of that site, go to your profile page, install the SocialSite Developer Gadget and then use that gadget to register your new application.

You can see a screenshot of the SocialSite Developer Gadget below. In the simplest case, you just enter the URL of your Gadget Specification, but I needed to take a couple of extra steps because my gadget needs to call an OAuth protected resource in Roller.

This next paragraph answers the question "How does SocialSite get the Consumer Key and Secret needed for calling Roller?"

I need my gadget to call back to the Roller setupgadget.jsp page (that's part #4 in the diagram above) to enable/disable activity posting. Because that page is protected by OAuth, I had to go into Roller and get Roller's site-wide OAuth key and secret (see also: OAuth for Roller) and then enter those it the Developer Gadget. SocialSite stores them and will use them to take care of the OAuth authentication process on each gadget call to Roller (in part #2 above).

Step 3 - Approve gadget registration#

Since I'm the administrator of my site, I approved my own gadget registration. I did this by logging into my site's SocialSite admin console, went to the Gadget Management tab, saw my new gadget registration request and approved it. Here's a screenshot of the Gadget Registration approval page:

Step 4 - Add OAuth consumer key and secret to Roller#

This next paragraph answers the question "How does Roller get the Consumer Key and Secret needed for calling SocialSite?"

After your gadget is approved for use on a SocialSite enabled site, you'll find the consumer key and secret that Roller needs to call the OpenSocial REST API (that's step #6 above) in the SocialSite Developer Gadget. Here's what you see in the Developer Gadget once you gadget is approved.

My OpenSocial Roller application needs to know about those keys, so I put them in its configuration. For simplicity's sake, I'm not going to go into the details of this step.

Step 5 - install the Social Roller gadget#

Finally, the OpenSocial Roller application is ready for use. To install it, I went to my profile page, clicked the Gadget Directory button, browsed through the gadgets until I found it and then clicked the install button. Here's a screenshot of the SocialSite Gadget Directory, which you can access from the SocialSite Profile Gadget:

The Social Roller Gadget is the last item in the list, the "Simple Roller Gadget."

Step 6 - authorize and enable the Social Roller gadget#

After I installed the gadget, it appeared in my Profile page as you can see in the screenshot below. It's installed and ready to run, but it's not yet authorized to access my Roller account so it tells me "Before you can use this gadget, you must authorize it to access your Roller account."

Finally, I can answer the question "How does the user authorize Roller's access to his Profile information in SocialSite?"

I want the gadget to access my Roller account so I clicked on the authorize link and saw this page popup, directly from Roller, which asks me to take the final step to authorize access.

After I clicked the authorize button, page disappeared and the Social Roller gadget redisplayed itself as you can see in the screenshot below. The gadget is now ready to access my Roller account and is asking me to enable activity posting:

I clicked the enable posting button and saw this:

And now, whenever I post a new blog entry, an activity is added to my profile. Here's proof in the form of a screenshot:

Conclusion#

I've done the work to enable OAuth in SocialSite and Roller, so now it's possible to develop OpenSocial gadgets for Roller that will work with SocialSite and other OpenSocial containers. The Roller side of this work is now available in Apache Roller (in the SVN trunk), but the future of the SocialSite is still uncertain.

I think SocialSite still has great potential. That's why I'm spending so much time promoting it and moving it forward, but I can't do it all myself. I'm joining IBM next week and as far as I know, SocialSite will NOT be part of my job. I'll wrap up this series of posts tomorrow with a post discussing the future of Project SocialSite.

OAuth for ROME Propono

Dave Johnson — Tue, 24 Mar 2009 12:00:00 +0000

Yesterday I wrote about OAuth support in the upcoming Roller 5.0 release. Today I'm following up with a post about OAuth support in ROME Propono.

As you may remember, ROME Propono is a subproject of ROME, the Java-based RSS/Atom feed library. ROME Propono includes an AtomPub server library and an AtomPub client. I added OAuth support to the AtomPub client and in this post, I'll show how you can use it to post to the Roller 5.0-dev (i.e. the snapshot build that I made available yesterday).

ROME 1.0 and coming soon: ROME Propono 1.0

In case you haven't already heard, thanks to the recent hard work of Nick Lothian, ROME 1.0 is now available. You can find downloads at rome.dev.java.net and a list of changes in the Change Log there. To celebrate this momentous event, I'm planning on releasing ROME Propono 1.0 as well, and in preparation, I've made a release candidate available. The new Propono includes ROME 1.0 and support for OAuth. You can get it via the links below:

rome-propono-1.0RC1.tar.gz (2.0 mb)

rome-propono-1.0RC1.zip (3 mb)

Posting to Roller via AtomPub and OAuth

To use the Propono AtomPub client, you place the Propono jars in your Java VM classpath and then call the AtomClientFactory to get started, as described in the ROME Propono 1.0 Javadocs.

Below is a Groovy example that shows how to post a blog entry to Roller via AtomPub and OAuth. You can get the consumer key, secret and URLs you need to call your instance of Roller from the OAuth Credentials page in the Roller admin interface.


  import com.sun.syndication.propono.atom.client.*
  import com.sun.syndication.feed.atom.*

  def authStrategy = new OAuthStrategy(
    "roller",                               // username
    "55132608a2fb68816bcd3d1caeafc933",     // consumer key
    "bb420783-fdea-4270-ab83-36445c18c307", // consumer secret
    "HMAC-SHA1",                            // key type
    "http://blogs.example.com/roller-services/oauth/requestToken",
    "http://blogs.example.com/roller-services/oauth/authorize",
    "http://blogs.example.com/roller-services/oauth/accessToken")

  // get the AtomPub service
  def appService = AtomClientFactory.getAtomService(
    "http://blogs.example.com/roller-services/app", authStrategy)

  // find workspace of my blog
  def blog = appService.findWorkspace("Blogging Roller")

  // find collecton that will accept entries
  def entries = blog.findCollection(null, "application/atom+xml;type=entry")

  // create and post an entry
  def entry = entries.createEntry()
  entry.title = "TestPost"
  def content = new Content()
  content.setValue("This is a test post. w00t!")
  entry.setContent([content])
  entries.addEntry(entry)

If you have questions or feedback about ROME Propono 1.0 RC1, please post them to the ROME dev mail list and I'll do my best to respond there.

OAuth for AtomPub in Roller

Dave Johnson — Mon, 23 Mar 2009 12:00:00 +0000

Over the past month or so I've been adding OAuth support to just about every open source project that I can commit to. I added OAuth support to Roller so that you can now use OAuth to protect Roller's AtomPub server and other things. I also added OAuth support to ROME Propono's AtomPub client so you can now use Propono to post to Roller (more about that later). Here's a quick overview of how OAuth in Roller works.

NOTE that this post applies to Roller 5.0, which has not yet been officially released.

Setting up OAuth for AtomPub in Roller

If you want to use OAuth with AtomPub on your Roller site, go to the Server Admin page and find the Web Services section, enable AtomPub and specify 'oauth' as the authentication mechanism, like so:

Getting your OAuth key, secret and URLs

Once you've done the setup, you'll find an OAuth Credentials link on the Roller Main Menu page, which will lead you a page like the one below showing your OAuth consumer key & secret and, if you are a site admin user, the site-wide key & secret. Currently, there's only one set of site-wide credentials; I plan to fix that.

Of course, those aren't my real keys. You'll want to keep your OAuth keys secret as they can enable anybody to access your Roller account via AtomPub.

Want to try it yourself?

I mentioned that Roller 5.0 has not yet been released and that's true. There's still a lot of work to be done on 5.0, but that doesn't mean you can't get your hands on the code and binaries now. To make it easy, I've made an unofficial snapshot version of Roller 5.0-dev available for testing purposes only. It's what I'm running on my site. You can get it here in two flavors:

apache-roller-5.0-dev-20090321-SNAPSHPOT.tar.gz (31 mb)

apache-roller-5.0-dev-20090321-SNAPSHPOT.zip (31 mb)

The instructions in the old Roller 4.0 installation guide should work fine, so follow them to install and configure the 5.0-dev SNAPSHOT. Please send questions and feedback to either the Roller dev mail list and I'll do my best to respond there.

You'll also need an OAuth capable AtomPub client. More on that topic tomorrow...

Sidebar: What is OAuth and why should you care?

Dave Johnson — Mon, 23 Mar 2009 08:01:39 +0000

I'm going to be following up my OAuth everywhere! post, with several more OAuth related posts this week. So, just in case you are wondering "why is Dave going off on this cockamamie OAuth tangent?", I'll take some time now to explain a little about OAuth to help you understand.

OAuth is a emerging protocol that one web site can use to access your data on another website without asking you to reveal your username and password. For example, when the sinister BuddyNet9000(TM) Social Network site wants to access your GMail account so it can spam your "friends" on your behalf, you can use OAuth to give it access without telling it your username and password. Why risk your GMail security when all you want to do is spam some people? There are less snarky examples, but that one makes the point well, I think.

There's a good end-user oriented introduction on OAuth.net titled Beginner's Guide to OAuth: Protocol Workflow. OAuth is not that widely deployed yet, and is not perfect, but it is emerging and going the IETF standards route.

I'm interested in OAuth because it's part of the OpenSocial spec, used to authorize access to the OpenSocial REST API and to enable OpenSocial Gadgets to call out to OAuth protected resources. Also, because it's used to protect AtomPub-based services, including the Google Data APIs. I needed to learn about it for my Roller and SocialSite work and if you're going to be doing much OpenSocial work, you'll need to learn about it too.

ApacheCon EU 2009!

Dave Johnson — Sun, 22 Mar 2009 14:19:16 +0000

I'm off to ApacheCon EU 2009> tomorrow in Amsterdam to speak on the topic of Shindig for Blogs and Wikis. I'm really looking forward to catching up with my Apache friends and colleagues. That's the conference venue in the photo on the right, the Movenpick hotel (in the background behind the music hall).

I'm staying a couple of extra days, so I hope to have time for bicycling around the city as I've done in the past (see also: Flickr photo sets for 2007 and 2008). Unfortunately, the weather forecast stinks. There's a 60% chance of rain every day that I'm in town. Oh well; guess I'll have plenty of time for blogging.

Speaking of blogging.This week, I'll be posting some blog entries to highlight the work that I've done in preparation for my talk. Here's what I plan to cover:

* Monday: OAuth for AtomPub in Roller
* Tuesday: OAuth for ROME Propono
* Wednesday: SocialSite on rollerweblogger.org
* Thursday: OAuth everywhere (continued)
* Friday: the future of Project SocialSite

If you plan to attend my talk, at 4:30PM on Friday March 27, then you should follow along. Pay special attention to the SocialSite on rollerweblogger.org and OAuth everywhere (continued) posts, which will include detailed background info. I'm looking forward to seeing you there.

Latest Links

Dave Johnson — Tue, 8 Jul 2008 14:00:05 +0000

InfoWorld 2008-07-07 Lab test: Climb aboard Ruby on Rails
Interesting that the best rated Ruby-on-Rails IDE is the one that is free & opensource. Go Netbeans!
ongoin Â· Atomic Monday
"Herewith some evidence, for the general tech public, that Atompub is a big deal"
InfoQ: AtomServer â€“ The Power of Publishing for Data Distribution
"a distributed, publish-subscribe service is a great way to address resiliency and loose coupling of subsystems"
blog.reddit -- what's new on reddit: reddit goes open source
"Until now, the only portion of reddit that wasn't freely available is reddit itself"
OAuth for Google Data APIs
"we're proud to announce that all of the Google Data APIs support OAuth"
Google Code Blog: Protocol Buffers released as Open Source
"think XML, but smaller, faster, and simpler"

Daily Kos: Cars After The Age of Oil
"We can switch to a new tech that is older and simpler than the Internal Combustion Engine - the electric horseless carriage was first created in 1830"
Wired.com: Laugh at High Gas Prices With a 282-MPG VW
"VW has approved a plan to build a limited number of One-Liters in 2010"
SAS Solar Farm | New Raleigh, NC
"Our local 500 pound software gorilla is building a five acre, one megawatt photovoltaic solar farm"