From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <97429C6C-072A-4DB5-A7E9-6A8D345EA340@9srv.net> References: <97429C6C-072A-4DB5-A7E9-6A8D345EA340@9srv.net> Date: Fri, 14 Oct 2011 01:29:14 +0200 Message-ID: From: simon softnet To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [9fans] OAuth Topicbox-Message-UUID: 37e8aba4-ead7-11e9-9d60-3106f5b1d025 I have only used OAuth for sending private twitter messages with a program, so I can only provide info through the twitter perspective. There is a handshake that needs to take place, during which your client program exchanges (token, key) pairs with the authentication service. Say you want to access some resource with a client program. Assume that resource is the ability to send messages impersonating some user account. The actual owner of the resource (the user account), logs in and notifies twitter that there is a program named "P" that will ask for permission to use this account. Twitter then returns a Consumer (token, key) pair. Your program sends the Consumer (token, key) pair to twitter, to obtain a Request (token, key) pair along with a redirection url. The owner of the resource must visit that url and certify that your program is allowed to use his account. After doing that, he obtains a "pin" code and provides that along with the Consumer (token, key) pair to your program. Then your program sends the pin code and the Consumer (token, key) pair to twitter to obtain an Access (token, key) pair. This pair can be kept in a file and reused by your program without the need to repeat the aforementioned procedure. Now, your program can accompany any request to use that resource (e.g., send a private message) by providing this Access (token, key) pair. In retrospect, in my mind, the initial Consumer (token, key) is needed to verify that your program is allowed to request for access. The subsequent (Request (token, key), pin code) tuple is used to verify that your program's access request got granted by the owner of the resource. Im a bit drunk and English is not my native language, but I hope it kinda helps. Simon. On Fri, Oct 14, 2011 at 1:05 AM, Anthony Sorace wrote: > i want to do some things which require OAuth. i don't like it, but > it's what many folks are doing now and i don't think i can fight it. > has anyone looked into this? > > architecturally, it's not immediately clear to me how much of the > http dance out to be in factotum. it could just store access keys. > > anth > > >