Homekeith's space

OAuth for Perl

Sun, 09/30/2007 - 15:03 — Keith

Today I noticed the link ‘OAuth 1.0 Draft’ appear in the del.icio.us popular feed. I followed it, and to my great delight found a spec for a protocol that is long overdue.

OAuth is

An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications.

This abstract definition can be explained by a simple example:

I keep my photos on a photo-sharing site. I want to print some photos on a photo printing site, and have them shipped to me. How does the photo printing site get access to my photos (say they are my private photos, only visible to me)? One way would be to give the printing site (call this site the Consumer) my username and password at the sharing site where my photos are stored (call this the Service Provider). Problem: Then the Consumer has my credentials - this gives them total access - they could, in effect ‘be me’ on that other site. This obviously isn’t what I want. What I want to do is just give them the right to use my private data at the Service Provider, without giving away my password.

OAuth allows that to happen, in a simple standardized way.

At Sxip this was always an important use case for our work in identity protocols, but I haven’t seen broad support for a protocol that specifically handles this problem until now.

OAuth is OpenID-like (not in its purpose, but in the way it is architected), but simpler. From reading the spec I can see that learnings from the OpenID process have been applied here - this spec has a clean, mature feel, despite being 1.0. It was also nice seeing some familiar names listed as authors on the document, like Blaine Cook and Andy Smith.

After all that I decided to help out with some Perl code. After a few hours of hacking, Net::OAuth was born! I just uploaded to CPAN, and so it should be available everywhere in the next couple days. You can also download it here: Net-OAuth-0.01.tar.gz. Caveats:

  • docs are in progress - refer to the test suite for ideas on how to get started.
  • it could use a lot more test coverage - the RSA_SHA1 stuff hasn’t yet been tested, but the protocol example from the spec works great.

It’ll be fun to watch this protocol as it spreads. It is, like I said before, long overdue, and is immediately useful to many sites.

Update (2007-10-02): Net::OAuth now supports the RSA_SHA1 signing method! Net-OAuth-0.02

Comments

Tue, 10/02/2007 - 13:23 — Chris Radcliff (not verified)

Thanks for starting this,

Thanks for starting this, Keith! I’ve been lurking on the OAuth list for a while, but I haven’t had any time to do anything about the spec or a Perl implementation. Now that you’ve started things off, I’ll take a look at the module and see if there’s anything I can do to help.

Tue, 10/02/2007 - 15:17 — Keith

Hi Chris, That’d be

Hi Chris,

That’d be great!

The main things needed:

  • Test coverage
  • Docs
  • Maybe a demo CGI script that shows Net::OAuth in action