* [9fans] OAuth
@ 2011-10-13 23:05 Anthony Sorace
2011-10-13 23:29 ` simon softnet
0 siblings, 1 reply; 2+ messages in thread
From: Anthony Sorace @ 2011-10-13 23:05 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
i want to do some things which require OAuth. i don't like it, but
it's what many folks are doing now and i don't think i can fight it.
has anyone looked into this?
architecturally, it's not immediately clear to me how much of the
http dance out to be in factotum. it could just store access keys.
anth
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [9fans] OAuth
2011-10-13 23:05 [9fans] OAuth Anthony Sorace
@ 2011-10-13 23:29 ` simon softnet
0 siblings, 0 replies; 2+ messages in thread
From: simon softnet @ 2011-10-13 23:29 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
I have only used OAuth for sending private twitter messages with a
program, so I can only provide info through the twitter perspective.
There is a handshake that needs to take place, during which your
client program exchanges (token, key) pairs with the authentication
service.
Say you want to access some resource with a client program.
Assume that resource is the ability to send messages impersonating
some user account.
The actual owner of the resource (the user account), logs in and
notifies twitter that there is a program named "P" that will ask for
permission to use this account. Twitter then returns a Consumer
(token, key) pair.
Your program sends the Consumer (token, key) pair to twitter, to
obtain a Request (token, key) pair along with a redirection url.
The owner of the resource must visit that url and certify that your
program is allowed to use his account.
After doing that, he obtains a "pin" code and provides that along with
the Consumer (token, key) pair to your program.
Then your program sends the pin code and the Consumer (token, key)
pair to twitter to obtain an Access (token, key) pair.
This pair can be kept in a file and reused by your program without the
need to repeat the aforementioned procedure.
Now, your program can accompany any request to use that resource
(e.g., send a private message) by providing this Access (token, key)
pair.
In retrospect, in my mind, the initial Consumer (token, key) is needed
to verify that your program is allowed to request for access.
The subsequent (Request (token, key), pin code) tuple is used to
verify that your program's access request got granted by the owner of
the resource.
Im a bit drunk and English is not my native language, but I hope it kinda helps.
Simon.
On Fri, Oct 14, 2011 at 1:05 AM, Anthony Sorace <a@9srv.net> wrote:
> i want to do some things which require OAuth. i don't like it, but
> it's what many folks are doing now and i don't think i can fight it.
> has anyone looked into this?
>
> architecturally, it's not immediately clear to me how much of the
> http dance out to be in factotum. it could just store access keys.
>
> anth
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-10-13 23:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-10-13 23:05 [9fans] OAuth Anthony Sorace
2011-10-13 23:29 ` simon softnet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).