hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thom Nichols <tmnich...@gmail.com>
Subject Re: integrated OAuth?
Date Tue, 01 Feb 2011 17:33:04 GMT
On Tue, Feb 1, 2011 at 10:56 AM, Oleg Kalnichevski <olegk@apache.org> wrote:

> On Tue, 2011-02-01 at 14:33 +0000, Moore, Jonathan wrote:
> > Hi folks,
> >
> > The OAuth question posed on the user list yesterday made me wonder if it
> > would be worthwhile to have built-in OAuth support in HttpClient.
>
> It most certainly would.
>
> ....

>
> I have no good understanding how the OAuth is supposed to work, but I
> remember reading somewhere that it differs from BASIC, DIGEST and NTLM
> schemes by sending credentials preemptively rather than relying on the
> conventional challenge / response mechanism. This may (or may not) pose
> difficulties and potentially may require to treat the OAuth scheme
> differently.
>

With the release of 4.1 I think HttpClient provides all of the knobs one
would need to implement an OAuth consumer.  See:
http://code.google.com/p/oauth-signpost/issues/detail?id=44

The sample code attached to that issue is mine; with 4.1 it could be fully
integrated and a more experienced HttpClient user could put in the correct
support for multiple domains like other auth schemes have.

We also will have to decide how we go about additional external
> dependencies that may be required by OAuth code- whether or not they
> need to be made mandatory or can be kept optional and whether or not
> OAuth code should be distributed as a separate jar (artifact).
>
> Anyway, please do go ahead! There will always be ways to incorporate
> good code into HC one way or another.
>

One thing that you may want to watch out for -- I think the Signpost project
has had to create a couple site-specific workarounds for discrepancies in
OAuth server implementations.  While a project dedicated to OAuth like
Signpost can do this, I doubt HttpClient would want to include that sort of
thing.  This is anecdotal and speculation on my part, but someone may want
to reach out to the Signpost author to get their perspective and/ or
assistance.

Signpost is ASL 2.0 licensed, maybe that's what was being talked about in
previous conversations.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message