From: simon softnet <ph.softnet@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] OAuth
Date: Fri, 14 Oct 2011 01:29:14 +0200 [thread overview]
Message-ID: <CAFUsep1gdmurUtN+uYg_mKTyg+ipxgCtayrYgJAKXLbSg43NNQ@mail.gmail.com> (raw)
In-Reply-To: <97429C6C-072A-4DB5-A7E9-6A8D345EA340@9srv.net>
I have only used OAuth for sending private twitter messages with a
program, so I can only provide info through the twitter perspective.
There is a handshake that needs to take place, during which your
client program exchanges (token, key) pairs with the authentication
service.
Say you want to access some resource with a client program.
Assume that resource is the ability to send messages impersonating
some user account.
The actual owner of the resource (the user account), logs in and
notifies twitter that there is a program named "P" that will ask for
permission to use this account. Twitter then returns a Consumer
(token, key) pair.
Your program sends the Consumer (token, key) pair to twitter, to
obtain a Request (token, key) pair along with a redirection url.
The owner of the resource must visit that url and certify that your
program is allowed to use his account.
After doing that, he obtains a "pin" code and provides that along with
the Consumer (token, key) pair to your program.
Then your program sends the pin code and the Consumer (token, key)
pair to twitter to obtain an Access (token, key) pair.
This pair can be kept in a file and reused by your program without the
need to repeat the aforementioned procedure.
Now, your program can accompany any request to use that resource
(e.g., send a private message) by providing this Access (token, key)
pair.
In retrospect, in my mind, the initial Consumer (token, key) is needed
to verify that your program is allowed to request for access.
The subsequent (Request (token, key), pin code) tuple is used to
verify that your program's access request got granted by the owner of
the resource.
Im a bit drunk and English is not my native language, but I hope it kinda helps.
Simon.
On Fri, Oct 14, 2011 at 1:05 AM, Anthony Sorace <a@9srv.net> wrote:
> i want to do some things which require OAuth. i don't like it, but
> it's what many folks are doing now and i don't think i can fight it.
> has anyone looked into this?
>
> architecturally, it's not immediately clear to me how much of the
> http dance out to be in factotum. it could just store access keys.
>
> anth
>
>
>
prev parent reply other threads:[~2011-10-13 23:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-13 23:05 Anthony Sorace
2011-10-13 23:29 ` simon softnet [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAFUsep1gdmurUtN+uYg_mKTyg+ipxgCtayrYgJAKXLbSg43NNQ@mail.gmail.com \
--to=ph.softnet@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).