OAuth server
General
The OAuth protocol enable web services consumers to access protected resources via an API without requiring users to supply the service credentials to the consumers. It's a generic methodology for authentication.
API
The Virtuoso implements the OAuth and expose following API endpoints :
Request token
Endpoint: http://chost/OAuth/request_token
Parameters:
- oauth_consumer_key: The Consumer Key.
- oauth_signature_method: The signature method the Consumer used to sign the request.
- oauth_signature: The signature as defined in Signing Requests (Signing Requests).
- oauth_timestamp: As defined in Nonce and Timestamp (Nonce and Timestamp).
- oauth_nonce: As defined in Nonce and Timestamp (Nonce and Timestamp).
- oauth_version: OPTIONAL. If present, value MUST be 1.0 .
Example
Request:
http://localhost:8890/OAuth/request_token?oauth_version=1.0&oauth_nonce=dad4cb071e2169cbcaa051d404ac61a3&\ oauth_timestamp=1201873644&oauth_consumer_key=f756023be5ff1f20881cf8fe398069f3976b2304&\ oauth_signature_method=HMAC-SHA1&oauth_signature=z76k5fQ0msFsQzCmhO%2FJZ329ZUE%3D
Note : all long lines in example texts are split, i.e. the GET request is single line.
Response:
oauth_token=b4e22daa117b0bebf60ab6ba6e401edc7addd78c&oauth_token_secret=4de6e3ab17553a0a385ebf6a3b4dd30f
Authorization
Endpoint: http://chost/OAuth/authorize
Parameters:
- oauth_token: The Request Token obtained in the previous step. The current implementation of the Service Provider declare this parameter as REQUIRED.
- oauth_callback: OPTIONAL. The Consumer MAY specify a URL the Service Provider will use to redirect the User back to the Consumer when Obtaining User Authorization (Obtaining User Authorization) is complete.
Example
Request:
http://localhost:8890/OAuth/authorize?oauth_token=b4e22daa117b0bebf60ab6ba6e401edc7addd78c&\ oauth_callback=http%3A%2F%2Flocalhost%3A8890%2Foauth%2Fexample%2Fclient.php%3Fkey%3D\ f756023be5ff1f20881cf8fe398069f3976b2304%26secret%3Dcc249bfb732039d8ecba9e4f94fdead7%26t\ oken%3Db4e22daa117b0bebf60ab6ba6e401edc7addd78c%26token_secret%3D4de6e3ab17553a0a385ebf6a3b4dd30f%26endpoint\ %3Dhttp%253A%252F%252Flocalhost%253A8890%252FOAuth%252Fauthorize
The User will be asked vi web page to accept or decline the token.
Access token
Endpoint: http://chost/OAuth/access_token
Parameters:
- oauth_consumer_key: The Consumer Key.
- oauth_token: The Request Token obtained previously.
- oauth_signature_method: The signature method the Consumer used to sign the request.
- oauth_signature: The signature as defined in Signing Requests (Signing Requests).
- oauth_timestamp: As defined in Nonce and Timestamp (Nonce and Timestamp).
- oauth_nonce: As defined in Nonce and Timestamp (Nonce and Timestamp).
- oauth_version: OPTIONAL. If present, value MUST be 1.0 .
Example
Request:
http://localhost:8890/OAuth/access_token?oauth_version=1.0&oauth_nonce=8ad75091a66bdd741472be42149c828e&\ oauth_timestamp=1201873800&oauth_consumer_key=f756023be5ff1f20881cf8fe398069f3976b2304&\ oauth_token=b4e22daa117b0bebf60ab6ba6e401edc7addd78c&oauth_signature_method=HMAC-SHA1&\ oauth_signature=tCxy0Lod4%2Bp%2FCBPV7Ph7RrsHXe4%3D
Response:
oauth_token=8c03b3da93480ca4728cc1194d6d03962f3bb5bb&oauth_token_secret=854fd29c00adcedff4fbeaeb96584911
In addtion to the endpoints it define a API for PL applications to check authentication:
Authentication verification
OAUTH.DBA.check_authentication (in params any, in lines any)
- Parameters:
- params: an array of strings representing the HTTP parameters
- lines - an array of HTTP request headers
- Result:
- on success it returns integer 1,
- on failure it signal an SQL error.
Sample code:
A sample service (oauth.vsp):
<html> <body> <?vsp OAUTH..check_authentication (params, lines); ?> An OAuth testing page </body> </html>
Sample request:
http://localhost:8890/admin/oauth.vsp?oauth_version=1.0&oauth_nonce=d57640869b994b2d51bf9800229c4997&\ oauth_timestamp=1201873935&oauth_consumer_key=f756023be5ff1f20881cf8fe398069f3976b2304&\ oauth_token=8c03b3da93480ca4728cc1194d6d03962f3bb5bb&oauth_signature_method=HMAC-SHA1&\ oauth_signature=X3K4lr9bJVz5YLnnyJDkykQZivY%3D
Sample response:
<html> <body> An OAuth testing page </body> </html>