WAS Off for meetup at Google's office. Back in first week of august. - NOW BACK AT WORK
Project information
In today's web, people do not like to share or exchange all their stuff on one service. Today, we prefer to use Flickr for photos, YouTube for videos, Amazon for shopping, etc. In order to make integration of different web services (in order to satisfy all customer/user needs), APIs using Services API in a secure fashion are used. To provide a secure way of this type of communication, OAuth open protocol is a very good option. The current system of API keys used by Services API is a combination of user name and password, but this key is too unsafe to share around on web. Also this key cannot be unshared once it is shared or handed over to other web service. The token provided by OAuth system will provide a much safer and risk free browsing experience to users.
Integration of OAuth 1.0 core to Drupal's Service API will provide users/administrators a pluggable authentication system such that they can choose between the current system of API keys, or OAuth token system to access desired web services. The method OAuth uses is to provide “tokens” to users instead of keys. Now for each kind of web service, OAuth issues a different kind of token to user. Also, these tokens are time bound an amount of access time to another service and then it expires automatically (could be a two hour access time).
Does this mean that OAuth is like OpenID?
The OAuth approach might be considered better than the OpenID approach as users don't have to do anything to undertstand it. They just browse normally with their existing methods but in a secure manner.
OAuth integration with Service API will rescue users, and developers, who put themselves at risk by sharing their private information.
Important about this project
After discussing it with my mentors and looking at situations have decided to do this project as by not making an additional "oauth_services" module. We will be implementing OAuth's functionality to Drupal and Services by adding additional things to existing modules. So I will be commiting my code to "oauth" and "services" module not to an another new module.
This is in favor of all as we always want to install less no of modules while working :P .
Test Server is already running latest code which is in good condition to make tests with :) :
http://tut2tech.com/sb2/?q=admin/build/oauth
go on send me feedback
Discussion Link : http://groups.drupal.org/node/10268
Services Issues link : http://drupal.org/node/238814
oauth_services issue link : http://drupal.org/node/275107
Current status: Base work going on. Understanding Drupal core better and finding some algorithmic way to integrate OAuth to services module
Description
By means of this project I would like to contribute a module to the Drupal community which will provide existing Service API a pluggable authentication module such that users will be able to choose between existing API keys method or OAuth method to access other web services. Drupal's existing Services API implementation is pretty weak so integrating it with open protocol OAuth will enhance security features to it.
Status updates
- 20th May 2008 : Earlier preparations for project started ..
- 27th May 2008 - week 1
- Testing already existing(in development) OAuth module and looking at its implementation to Services via a hook system( hook still to produce by Adrain )
- Try implementing Server side testing with Drupal and OAuth
- Designing a UI for upcoming OAuth_services module its so-far decided contents will be
- OAuth
- Keys for Drupal site
- Consumers user can access
- Shared keys with other sites
- A testing Browser for making requests
- Discussing more about its implementation in Services
- Working on a hook to implement OAuth's authentication system to Services
- coding UI for oauth_services
- modifying code in Services to work with new authentication system and end points
- Fixed some code from OAuth module
- Earlier it was producing key and secret for just one user and then it was overwriting it
- Still to fix in it :
1. Nonce entry to table with proper timestamp
- Made some changes to Services library to use OAuth for authorization
- Writing a module "oauth_call" so that test calls for request token and access token can be made from here only......... still in progress(not completed)
- Writing test code for requests (or test purpose only) - will be out soon
Week with bad health - Now I am pushing it harder
WEEK - 2
WEEK - 3
- What I did this week :
- second-last week's updates
- Returned from Google's office trip from Banglore
- Project reaching to final touches
- Fixed 2 broken tables
- adding help to module to make it easy to use
- writing API documentation
- Take final feedback from mentors and community to make a final release
work to do this week
Comments
OAuth now with google Data APIs-alpha-released with contacts api
Google announce that the Google Contacts Data API now
supports OAuth. This is gonna be thier first step towards OAuth enabling all
Google Data APIs. Please note that this is an alpha release and we may
make changes to the protocol before the official release.
Here are the three end points used in OAuth to get a token:
https://www.google.com/accounts/OAuthGetRequestToken?scope=http://www...
https://www.google.com/accounts/OAuthAuthorizeToken
https://www.google.com/accounts/OAuthGetAccessToken
To register for a consumer key / upload your RSA public key:
https://www.google.com/accounts/ManageDomains
(see http://code.google.com/apis/accounts/docs/RegistrationForWebAppsAuto....
for help on registering your domain)
Caveats:
- This currently only support RSA-SHA1 mode.
- The consumer key is the domain hostname you registered. Currently
there are no consumer_secrets.
- The scope parameter specifies the URL identifying the service to be
accessed. See http://code.google.com/apis/contacts/developers_guide_protocol.html
for details about the Google Contacts Data API.
Download a sample client at http://weitu.googlepages.com/GoogleDataOAuthSample.jar.
Alternatively, Andy Smith (termie) has written a php test server
(http://term.ie/oauth/example/client.php?sig_method=RSA-SHA1) that
provides an easy way to test getting OAuth tokens with RSA. It uses
the example key pair on the OAuth wiki (http://wiki.oauth.net/
TestCases). Also a test consumer with
consumer_key=weitu.googlepages.com that uses the same RSA key pair for
you to test with.
//resource : oauth-google group announcement , http://groups.google.com/group/oauth/browse_thread/thread/75ee6d973930c7...
sumit kataria
http://www.tut2tech.com
SumitK
www.sumitk.net
Very Cool!
This looks very promising. Keep it up, Sumit!
ORKUT-sandbox support with OAuth now
Increasing support from google for OAuth
Today google announced OAuth support ORKUT sandbox
a sample walkthrough of an OAuth gadget: https://sites.google.com/site/ericsachs/demoproxy
Gadgets support for OAuth is already there :)
here is code from google :
http://oauth.googlecode.com/svn/code/java
sumit kataria
www.sumitk.com
SumitK
www.sumitk.net
Issues
Hi all
issues regarding OAuth and oauth integration with services are here
http://drupal.org/node/238814#comment-887465 ( latest fixed OAuth module)
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
All Google APIs support OAuth
http://www.readwriteweb.com/archives/google_oauth.php
Kyle Mathews
Kyle Mathews
code now in cvs
committed code in cvs + patches are in issue queue
http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/oauth/
and patches to ServicesAPI for use with OAuth are here
http://drupal.org/node/238814#comment-886027
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
An announcement regarding this project
After discussing it with my mentors and looking at situations have decided to do this project as by not making an additional "oauth_services" module. We will be implementing OAuth's functionality to Drupal and Services by adding additional things to existing modules. So I will be commiting my code to "oauth" and "services" module not to an another new module.
This is in favor of all as we always want to install less no of modules while working :P .
Test Server is already running latest code which is in good condition to make tests with :) :
http://tut2tech.com/sb2/?q=admin/build/oauth
go on send me feedback
Discussion Link : http://groups.drupal.org/node/10268
Services Issues link : http://drupal.org/node/238814
oauth_services issue link : http://drupal.org/node/275107
cheers!!
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
Alpha release of code - oauth + Services
Hi all
Here I announce alpha release of oauth + services module's code
link to download latest modules(oauth+services) :: http://drupal.org/files/issues/oauth%20+%20services%2005_07_08.tar_.gz
you can also test this code over Test server at :: http://www.tut2tech.com/sb2/?q=admin/build/oauth
All details are on front page regarding how to use demo server
oauth module's latest code is in cvs too, Services will be updated soon
For Admin's (Link to mentors's feedback) :: http://drupal.org/node/275107
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
Drupal OR flickr API - no like flickr ;)
Hi all
I am very exited to tell about latest changes OAuth module is going through
We have added a functionality named "cool auth" in this module which makes it work like flickr/youtube/ API
Now when users register an account with a Drupal website they can enable "cool auth" service from user's account page
After enabling and filling details about their application (which will be using site's resources) they create an API key +API secret pair which is unique to one activated account
Note: their oauth credentials are different - they are used to make user specific auth calls - but these "cool auth " credentials are used to make registered application specific calls
so now 2 more parameters are inserted in Oauth calls as $params['application_key'] and $params['application_sig'] = md5($application_secret.$nonce); - here nonce is unique per call
these are just required for first call(required) - because request token/secret pair is produced in that call only - rest of OAuth authentication process remains same as it was
By introducing cool auth we can better track APPLICATIONS using site's resources and users can have better control over them
Separate admin UI and User UI have been added for cool auth and OAuth now - you can test on sandboxes ;) - tut2tech.com/sb5/
Hope getting feedbacks from you all .............
Also posting this in issue queue
cheers!!
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
link to download modules tar
To test this you may need to patch Services module for some changes -
So I am giving link to latest code(services + oauth module)
http://www.doctorsofta.com/tut2tech/Archive.tar.gz
cheers!!
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net
final beta release
OAuth module has been released with its beta version now
you can make a cvs checkout OR download a copy from http://drupal.org/project/oauth
Documentation for module is in progress and you can also expect a screencast showing how to use oauth module in a couple of days :)
cheers!!
sumit kataria
www.sumitk.net
SumitK
www.sumitk.net