[Twisted-Python] Implementing OAuth in twisted.cred
Hi! For those who don't know what OAuth is; the Wikipedia definition is pretty good: "OAuth (Open Authorization) is an open standard that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password." It is currently being used by big names like Google, Facebook, and Twitter. There's a number of ways it can do this; the current draft RFC is here: http://tools.ietf.org/html/rfc5849 . The "Example" section is short and a recommended read. A number of people have tried to implement it in Twisted. AFAICT most of them just use oauth.py. That uses urllib. Basically I guess it just crosses its fingers and hopes that the OAuth API endpoints will always be reachable and responsive. (I have been told this is completely unrealistic.) Thankfully, the OAuth spec is asynchronous in nature. I'm trying to implement OAuth using twisted (specifically twisted.cred and twisted.web) to promote code re-use. In order to do the authentication OAuth relies on redirection (in most use cases, this is HTTP redirection), which would be protocol specific. I'm not sure how twisted.cred fits into this since it appears to expect everything beyond the portal to be protocol-agnostic. I'm not sure what the credentials would be. If I understand correctly the avatar would be the thing that has the token credentials (for those who haven't read the OAuth spec, "token credentials" are an OAuth thing, and not necessarily the credentials in the twisted.cred sense); it represents a single authenticated transaction (which might consist of many authenticated requests). This takes care of steps 6 7 and 8 in http://twistedmatrix.com/documents/current/core/img/cred-login.png. The strange bits start in the CredentialsChecker, since credentials are checked by someone else entirely. I really don't understand the Mind, but it sounds like something that might be required in the context of a three-actor auth system like OAuth. I would be really grateful if someone who actually understood twisted.cred (and hopefully also OAuth) could shed some light on this. Thanks in advance Laurens
participants (3)
-
Glyph Lefkowitz
-
Laurens Van Houtven
-
Yaroslav Fedevych