File: README — Documentation for oauth

OAuth Provider library in Ruby

1) Getting the library setup
2) Creating a provider
3) Adding a consumer
4) Issuing a request token
5) Authorizing a request token
6) Upgrading a request token to an access token
7) Confirming access for an access token

1) Getting the library setup

You can currently only download the source and build a gem. It will be put on rubyforge once it is more feature-some.

# git clone git://github.com/halorgium/oauth_provider.git # rake package

2) Getting the library setup

Create a provider to allow you to interact issue request tokens etc. There are several backends to allow you to use this for real and in testing.

The in-memory backend is best for testing, it allows you to not have the overhead of a database.

# provider = OAuthProvider.create(:in_memory)

The DataMapper backend is currently the only real backend, you can provide a repository which will allow you to use a different database connection.

# provider = OAuthProvider.create(:data_mapper, :some_oauth_repository)

3) Adding a consumer

To add a consumer to the provider, you need to provide a callback URL.

# consumer = provider.add_consumer(“myconsumer.com/token”)

You should store the consumer shared key in your database so you can associate your users with the tokens they own.

# Consumer.create(“My Consumer”, consumer.shared_key)

4) Issuing a request token

Now you can issue a request token, this will save the token for later access. You need to pass in the raw request object which your web framework uses and require the correct request-proxy.

Rails (ActionController): # require ‘oauth/request_proxy/action_controller_request’ XMPP4R: # require ‘oauth/request_proxy/jabber_request’ Net::HTTP: # require ‘oauth/request_proxy/net_http’ Sinatra/Merb (Rack): # require ‘oauth/request_proxy/rack_request’

Once that file is required, you can ask the provider to issue a token.

# user_request = provider.issue_request(request)

You should save this token in your database to connect this token with a particular user.

# current_user.tokens.create(:consumer_shared_key => user_request.consumer.shared_key, # :shared_key => user_request.shared_key)

This object allows you to access the query_string which should be returned to the consumer. This is the form: oauth_token=ABCDE&oauth_token_secret=SECRET123

# user_request.query_string

Now it is up to the consumer to redirect the user to your authorization screen. To locate the token which corresponds with the shared key (usually the ‘oauth_token’ parameter in the request) you need to

5) Authorizing a request token

Once you have determined that the user wishes to authorize the request. You should display the consumer information to the user.

An example ERB view might be:

# You are about to authorize <%= token.consumer.name %> to access your account %> # Do you want this to happen? # <a href=“/authorize?oauth_token=<%= token.shared_key %>Authorize it</a>

At this point, you can also store any access control information to allow this consumer to perhaps only have read-access to the user’s information.

Then in the ‘authorize’ action you would tell the provider to authorize this request token and redirect back to the consumer callback URL.

# user_request.authorize # redirect_to user_request.callback

6) Upgrading a request token to an access token

Now that the request token is authorized by the user, the consumer can upgrade this token to an access token.

# user_access = provider.upgrade_request(request)

If the request token is not yet authorized, an exception will be raised. The exception class is ‘OAuthProvider::UserRequestNotAuthorized’.

If the request token is authorized, the request token will be destroyed and a access token will be generated and returned.

Now you can save this into your database.

# token = current_user.tokens.find_by_shared_key(user_access.request_shared_key) # token.update_attributes(:access => true, :shared_key => user_access.shared_key)

And return the query string back to the consumer

# user_access.query_string

7) Confirming access for an access token

At this point, the consumer should have a valid access token and can make API requests. You can ask the provider to confirm that the access token is valid.

# user_access = provider.confirm_access(request)

Now you can find the user token which corresponds to the shared_key.

# token = current_user.tokens.first(:access => true, :shared_key => user_access.shared_key)

You are now ready to respond to the API request as needed!