incubator-couchdb-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Higham <mar...@ocastalabs.com>
Subject Re: OAuth example
Date Tue, 02 Nov 2010 09:18:41 GMT
The CouchDB OAuth implementation is a partial implementation that supports
the OAuth signing of requests where the client has it's client credentials
and knows the user's access token.

There are two _oauth special URLs _oauth/request_token and _oauth/authorize
but I don't think these are fully implemented. I have only got calls to
_oauth/request_token to return a valid response when signing the request
with the client and access keys/secrets and the test cases do the same.

There is nothing in place (or at least I haven't found it) to assist in key,
token or secret creation or to support the full three-legged authentication
where a user is required to authorise a client to authenticate on their
behalf.

Martin

On 2 November 2010 01:34, Doug <douglas.linder@gmail.com> wrote:


Can anyone point me in the right direction to see an oauth example?
>
> I've seen this page:
> http://wiki.apache.org/couchdb/Authentication_and_Authorization
>
> ...but that doesn't seem to be anything useful.
>
> Web oauth typically works like this:
>
> 1) Get a request token.
> 2) Send the user to a login page and pass the request token.
> 3) User gets redirected back to a separate url with an authorised request
> token.
> 4) Send the authorised request token in and get an access token.
>
> 5+) Send all requests signed by the access token.
>
> I've reviewed the code here:
> https://issues.apache.org/jira/browse/COUCHDB-420
>
> ...and it looks like it does actually check for validly signed requests,
> but
> I don't really get how to:
>
> 1) Get a request token.
>
> 2) Authorise it.
>
> 3) Get an access token.
>
> 4) Mark a request as signed via oauth.
>
> I might have misunderstood, but the example seems to assume that you
> already
> know what you access token is before you start and just skipped over steps
> 1-3.
>
> Anyone actually managed to get this to work from a desktop / web app,
> instead of just that one specific python example?
>
> ~
> Doug.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message