Dave Johnson on open web technologies, social software and software development
Lot's of activity in the OpenID and OAuth space recently. Both OAuth and OpenID have suffered from bad user experience, bad developer experience and low adoption. Now they're in the process of re-invention and folks from both Google and Facebook are involved. Here's my reading list so far on the topic:
As you may remember, ROME Propono is a subproject of ROME, the Java-based RSS/Atom feed library. ROME Propono includes an AtomPub server library and an AtomPub client. I added OAuth support to the AtomPub client and in this post, I'll show how you can use it to post to the Roller 5.0-dev (i.e. the snapshot build that I made available yesterday).
In case you haven't already heard, thanks to the recent hard work of Nick Lothian, ROME 1.0 is now available. You can find downloads at rome.dev.java.net and a list of changes in the Change Log there. To celebrate this momentous event, I'm planning on releasing ROME Propono 1.0 as well, and in preparation, I've made a release candidate available. The new Propono includes ROME 1.0 and support for OAuth. You can get it via the links below:
rome-propono-1.0RC1.tar.gz (2.0 mb)
rome-propono-1.0RC1.zip (3 mb)
To use the Propono AtomPub client, you place the Propono jars in your Java VM classpath and then call the
AtomClientFactory to get started, as described in the ROME Propono 1.0 Javadocs.
Below is a Groovy example that shows how to post a blog entry to Roller via AtomPub and OAuth. You can get the consumer key, secret and URLs you need to call your instance of Roller from the OAuth Credentials page in the Roller admin interface.
import com.sun.syndication.propono.atom.client.* import com.sun.syndication.feed.atom.* def authStrategy = new OAuthStrategy( "roller", // username "55132608a2fb68816bcd3d1caeafc933", // consumer key "bb420783-fdea-4270-ab83-36445c18c307", // consumer secret "HMAC-SHA1", // key type "http://blogs.example.com/roller-services/oauth/requestToken", "http://blogs.example.com/roller-services/oauth/authorize", "http://blogs.example.com/roller-services/oauth/accessToken") // get the AtomPub service def appService = AtomClientFactory.getAtomService( "http://blogs.example.com/roller-services/app", authStrategy) // find workspace of my blog def blog = appService.findWorkspace("Blogging Roller") // find collecton that will accept entries def entries = blog.findCollection(null, "application/atom+xml;type=entry") // create and post an entry def entry = entries.createEntry() entry.title = "TestPost" def content = new Content() content.setValue("This is a test post. w00t!") entry.setContent([content]) entries.addEntry(entry)
If you have questions or feedback about ROME Propono 1.0 RC1, please post them to the ROME dev mail list and I'll do my best to respond there.
Over the past month or so I've been adding OAuth support to just about every open source project that I can commit to. I added OAuth support to Roller so that you can now use OAuth to protect Roller's AtomPub server and other things. I also added OAuth support to ROME Propono's AtomPub client so you can now use Propono to post to Roller (more about that later). Here's a quick overview of how OAuth in Roller works.
NOTE that this post applies to Roller 5.0, which has not yet been officially released.
If you want to use OAuth with AtomPub on your Roller site, go to the Server Admin page and find the Web Services section, enable AtomPub and specify 'oauth' as the authentication mechanism, like so:
Once you've done the setup, you'll find an OAuth Credentials link on the Roller Main Menu page, which will lead you a page like the one below showing your OAuth consumer key & secret and, if you are a site admin user, the site-wide key & secret. Currently, there's only one set of site-wide credentials; I plan to fix that.
Of course, those aren't my real keys. You'll want to keep your OAuth keys secret as they can enable anybody to access your Roller account via AtomPub.
I mentioned that Roller 5.0 has not yet been released and that's true. There's still a lot of work to be done on 5.0, but that doesn't mean you can't get your hands on the code and binaries now. To make it easy, I've made an unofficial snapshot version of Roller 5.0-dev available for testing purposes only. It's what I'm running on my site. You can get it here in two flavors:
The instructions in the old Roller 4.0 installation guide should work fine, so follow them to install and configure the 5.0-dev SNAPSHOT. Please send questions and feedback to either the Roller dev mail list and I'll do my best to respond there.
You'll also need an OAuth capable AtomPub client. More on that topic tomorrow...
I'm going to be following up my OAuth everywhere! post, with several more OAuth related posts this week. So, just in case you are wondering "why is Dave going off on this cockamamie OAuth tangent?", I'll take some time now to explain a little about OAuth to help you understand.
OAuth is a emerging protocol that one web site can use to access your data on another website without asking you to reveal your username and password. For example, when the sinister BuddyNet9000(TM) Social Network site wants to access your GMail account so it can spam your "friends" on your behalf, you can use OAuth to give it access without telling it your username and password. Why risk your GMail security when all you want to do is spam some people? There are less snarky examples, but that one makes the point well, I think.
There's a good end-user oriented introduction on OAuth.net titled Beginner's Guide to OAuth: Protocol Workflow. OAuth is not that widely deployed yet, and is not perfect, but it is emerging and going the IETF standards route.
I'm interested in OAuth because it's part of the OpenSocial spec, used to authorize access to the OpenSocial REST API and to enable OpenSocial Gadgets to call out to OAuth protected resources. Also, because it's used to protect AtomPub-based services, including the Google Data APIs. I needed to learn about it for my Roller and SocialSite work and if you're going to be doing much OpenSocial work, you'll need to learn about it too.
I'm off to ApacheCon EU 2009> tomorrow in Amsterdam to speak on the topic of Shindig for Blogs and Wikis. I'm really looking forward to catching up with my Apache friends and colleagues. That's the conference venue in the photo on the right, the Movenpick hotel (in the background behind the music hall).
I'm staying a couple of extra days, so I hope to have time for bicycling around the city as I've done in the past (see also: Flickr photo sets for 2007 and 2008). Unfortunately, the weather forecast stinks. There's a 60% chance of rain every day that I'm in town. Oh well; guess I'll have plenty of time for blogging.
Speaking of blogging.This week, I'll be posting some blog entries to highlight the work that I've done in preparation for my talk. Here's what I plan to cover:
* Monday: OAuth for AtomPub in Roller
* Tuesday: OAuth for ROME Propono
* Wednesday: SocialSite on rollerweblogger.org
* Thursday: OAuth everywhere (continued)
* Friday: the future of Project SocialSite
If you plan to attend my talk, at 4:30PM on Friday March 27, then you should follow along. Pay special attention to the SocialSite on rollerweblogger.org and OAuth everywhere (continued) posts, which will include detailed background info. I'm looking forward to seeing you there.