Consuming
Oauth for two

A healthy serving of
open authentication with oauth2

@softprops

Let's talk about
me.

Oauth 2

for the uninitiated
  • a simple, 302-based authorization protocol
  • stop asking for passwords
  • oauth.net/2/

Change log

rfc-5849...today

  • trade signing for TLS
  • scopes exactly what do you think you're doing?
  • profilin' auth code, implicit, user/client credentials

Current status:

  • Drafty (22 so far)
  • Not official (yet)
  • Plan for change (but hopefully not many)

The gist

1) authorization server *

2) token server *

3) choose your profile

* these can be the same

Pregame

register a client w/ ...

  • client_id
  • client_secret
  • redirect_uri

And so begins dialog between parties

act: I

Dear Joseph,
I wish to act in your stead

Q: May I... ?

curl https://secure.meetup.com/oauth2/authorize
  ?client_id=g1b3r1sh
  &response_type=code
  &redirect_uri=http://your.com/post-auth
  &state=optional-but-recommended

Q: May I... ?

curl https://secure.meetup.com/oauth2/authorize
  ?client_id=g1b3r1sh
  &response_type=code
  &redirect_uri=http://your.com/post-auth
  &state=optional-but-recommended

Who are you anyway?

Q: May I... ?

curl https://secure.meetup.com/oauth2/authorize
  ?client_id=g1b3r1sh
  &response_type=code
  &redirect_uri=http://your.com/post-auth
  &state=optional-but-recommended

Which path do you wish to take?

Q: May I... ?

curl https://secure.meetup.com/oauth2/authorize
  ?client_id=g1b3r1sh
  &response_type=code
  &redirect_uri=http://your.com/post-auth
  &state=optional-but-recommended

Upon that sunny day,
how shall I reachith you?

A: Yes, you may.

http://your.com/post-oauth
  ?code=temp-token
  &state=optional-but-recommended

act: II

obtaining a token of power
and trust

Q: One ticket please?

curl -X POST https://secure.meetup.com/oauth2/access
  -F 'client_id=g1b3r1sh'
  -F 'client_secret=s3cr3tg1b3r1sh'
  -F 'redirect_uri=http://your.com/post-auth'
  -F 'grant_type=authorization_code'
  -F 'code=code_you_just_got'

Q: One ticket please?

curl -X POST https://secure.meetup.com/oauth2/access
  -F 'client_id=g1b3r1sh'
  -F 'client_secret=s3cr3tg1b3r1sh'
  -F 'redirect_uri=http://your.com/post-auth'
  -F 'grant_type=authorization_code'
  -F 'code=code_you_just_got'

Q: One ticket please?

curl -X POST https://secure.meetup.com/oauth2/access
  -F 'client_id=g1b3r1sh'
  -F 'client_secret=s3cr3tg1b3r1sh'
  -F 'redirect_uri=http://your.com/post-auth'
  -F 'grant_type=authorization_code'
  -F 'code=code_you_just_got'

Q: One ticket please?

curl -X POST https://secure.meetup.com/oauth2/access
  -F 'client_id=g1b3r1sh'
  -F 'client_secret=s3cr3tg1b3r1sh'
  -F 'redirect_uri=http://your.com/post-auth'
  -F 'grant_type=authorization_code'
  -F 'code=code_you_just_got'

A: Enjoy the show

{
  "access_token": "k33pm3s3c3r3t",
  "expires_in": 3600,
  "refresh_token": "al30k33pm3s3cr3t"
}

That's it

curl https://api.meetup.com/2/member/self
  ?access_token=k33pm3s3cf3t

Well, almost...

  • users can forsake (revoke) you
  • the clock could strike midnight (expires_in)
  • air ball! (she's beyond your scope of access)

Plan for a bumpy ride

from urllib2 import (Request, openurl, urlencode,
                     HttpError)
def get(path, params = {}):
  try:
    parse(openurl(Request("%s%s?%s" % (
      host, path,
      urlencode(with_access(params)))).read())
  except HTTPError, e:
     # dirty jobs
except HTTP, e:
  if(e.code == 401): # denied
    try:
      # freshen up
      reset(parse(openurl(Request(TOKEN_URI, data = {
        'client_id':'g1b3r1sh'
        'client_secret':'s3cr3tg1b3r1sh'
        'grant_type':'refresh_token',
        'refresh_token':'al30k33pm3s3cr3t'
       })).read()))
       return get(path, params)
    except HttpError, e2: # revoked
       raise WhiteFlag

{

'code-demo': intermission

}