You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Doug <do...@gmail.com> on 2010/11/02 02:34:35 UTC
OAuth example
Can anyone point me in the right direction to see an oauth example?
I've seen this page:
http://wiki.apache.org/couchdb/Authentication_and_Authorization
...but that doesn't seem to be anything useful.
Web oauth typically works like this:
1) Get a request token.
2) Send the user to a login page and pass the request token.
3) User gets redirected back to a separate url with an authorised request
token.
4) Send the authorised request token in and get an access token.
5+) Send all requests signed by the access token.
I've reviewed the code here:
https://issues.apache.org/jira/browse/COUCHDB-420
...and it looks like it does actually check for validly signed requests, but
I don't really get how to:
1) Get a request token.
2) Authorise it.
3) Get an access token.
4) Mark a request as signed via oauth.
I might have misunderstood, but the example seems to assume that you already
know what you access token is before you start and just skipped over steps
1-3.
Anyone actually managed to get this to work from a desktop / web app,
instead of just that one specific python example?
~
Doug.
Re: OAuth example
Posted by Martin Higham <ma...@ocastalabs.com>.
Gmail, Facebook etc fully or partially support OpenID to allow you to
use your Facebook or GMail OpenID to login to other services. OpenID
and OAuth 1.0 are separate things. CouchDB does not support OpenID.
There is a CouchDB-OpenID project on github but I've not tried it.
Martin
On Wednesday, November 3, 2010, Ido Ran <id...@gmail.com> wrote:
> Hi, I hope it the right place to ask it.
> I want to write an application and I don't want my users to remember yet
> another username and password set.
> Does OAuth is the answer for it?
> Can I use it for single-sign-on using Gmail, Facebook, Yahoo or any other
> provider?
>
> Ido
>
> On Wed, Nov 3, 2010 at 10:44 AM, Doug <do...@gmail.com> wrote:
>
>> Basically, no.
>>
>> Even if it did implement the full set of actions, you'd still only be able
>> to use a couchdb login to login to other services, not vice versa...
>>
>> ~
>> Doug.
>>
>> On Wed, Nov 3, 2010 at 3:52 PM, Wordit Ltd <wo...@googlemail.com>
>> wrote:
>>
>> > On Tue, Nov 2, 2010 at 10:18 AM, Martin Higham <ma...@ocastalabs.com>
>> > wrote:
>> > >
>> > > The CouchDB OAuth implementation is a partial implementation that
>> > supports
>> > > the OAuth signing of requests where the client has it's client
>> > credentials
>> > > and knows the user's access token.
>> >
>> > Does that mean you can let users log in via their OpenID, Twitter or
>> > Facebook account? That's what I couldn't figure out yet.
>> >
>> > If not, is it at all possible with CouchDB? Many commenting systems
>> > use that now and it's great not to require additional signups.
>> >
>> > Marcus
>> >
>>
>
Re: OAuth example
Posted by Ido Ran <id...@gmail.com>.
Hi, I hope it the right place to ask it.
I want to write an application and I don't want my users to remember yet
another username and password set.
Does OAuth is the answer for it?
Can I use it for single-sign-on using Gmail, Facebook, Yahoo or any other
provider?
Ido
On Wed, Nov 3, 2010 at 10:44 AM, Doug <do...@gmail.com> wrote:
> Basically, no.
>
> Even if it did implement the full set of actions, you'd still only be able
> to use a couchdb login to login to other services, not vice versa...
>
> ~
> Doug.
>
> On Wed, Nov 3, 2010 at 3:52 PM, Wordit Ltd <wo...@googlemail.com>
> wrote:
>
> > On Tue, Nov 2, 2010 at 10:18 AM, Martin Higham <ma...@ocastalabs.com>
> > wrote:
> > >
> > > The CouchDB OAuth implementation is a partial implementation that
> > supports
> > > the OAuth signing of requests where the client has it's client
> > credentials
> > > and knows the user's access token.
> >
> > Does that mean you can let users log in via their OpenID, Twitter or
> > Facebook account? That's what I couldn't figure out yet.
> >
> > If not, is it at all possible with CouchDB? Many commenting systems
> > use that now and it's great not to require additional signups.
> >
> > Marcus
> >
>
Re: OAuth example
Posted by Doug <do...@gmail.com>.
Basically, no.
Even if it did implement the full set of actions, you'd still only be able
to use a couchdb login to login to other services, not vice versa...
~
Doug.
On Wed, Nov 3, 2010 at 3:52 PM, Wordit Ltd <wo...@googlemail.com> wrote:
> On Tue, Nov 2, 2010 at 10:18 AM, Martin Higham <ma...@ocastalabs.com>
> wrote:
> >
> > The CouchDB OAuth implementation is a partial implementation that
> supports
> > the OAuth signing of requests where the client has it's client
> credentials
> > and knows the user's access token.
>
> Does that mean you can let users log in via their OpenID, Twitter or
> Facebook account? That's what I couldn't figure out yet.
>
> If not, is it at all possible with CouchDB? Many commenting systems
> use that now and it's great not to require additional signups.
>
> Marcus
>
Re: OAuth example
Posted by Wordit Ltd <wo...@googlemail.com>.
On Tue, Nov 2, 2010 at 10:18 AM, Martin Higham <ma...@ocastalabs.com> wrote:
>
> The CouchDB OAuth implementation is a partial implementation that supports
> the OAuth signing of requests where the client has it's client credentials
> and knows the user's access token.
Does that mean you can let users log in via their OpenID, Twitter or
Facebook account? That's what I couldn't figure out yet.
If not, is it at all possible with CouchDB? Many commenting systems
use that now and it's great not to require additional signups.
Marcus
Re: OAuth example
Posted by Martin Higham <ma...@ocastalabs.com>.
The CouchDB OAuth implementation is a partial implementation that supports
the OAuth signing of requests where the client has it's client credentials
and knows the user's access token.
There are two _oauth special URLs _oauth/request_token and _oauth/authorize
but I don't think these are fully implemented. I have only got calls to
_oauth/request_token to return a valid response when signing the request
with the client and access keys/secrets and the test cases do the same.
There is nothing in place (or at least I haven't found it) to assist in key,
token or secret creation or to support the full three-legged authentication
where a user is required to authorise a client to authenticate on their
behalf.
Martin
On 2 November 2010 01:34, Doug <do...@gmail.com> wrote:
Can anyone point me in the right direction to see an oauth example?
>
> I've seen this page:
> http://wiki.apache.org/couchdb/Authentication_and_Authorization
>
> ...but that doesn't seem to be anything useful.
>
> Web oauth typically works like this:
>
> 1) Get a request token.
> 2) Send the user to a login page and pass the request token.
> 3) User gets redirected back to a separate url with an authorised request
> token.
> 4) Send the authorised request token in and get an access token.
>
> 5+) Send all requests signed by the access token.
>
> I've reviewed the code here:
> https://issues.apache.org/jira/browse/COUCHDB-420
>
> ...and it looks like it does actually check for validly signed requests,
> but
> I don't really get how to:
>
> 1) Get a request token.
>
> 2) Authorise it.
>
> 3) Get an access token.
>
> 4) Mark a request as signed via oauth.
>
> I might have misunderstood, but the example seems to assume that you
> already
> know what you access token is before you start and just skipped over steps
> 1-3.
>
> Anyone actually managed to get this to work from a desktop / web app,
> instead of just that one specific python example?
>
> ~
> Doug.
>