if(($ACT == 'edit' || $ACT == 'preview') && $INFO['editable']){ ?> } else { ?> } ?>
OAuth is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.
liboauth provides functionality to encode URLs and sign requests according to the OAuth standard, implemented in compatible POSIX-C.
oauth-utils is a collection1) of command-line tools implementing an OAuth consumer.
–help
manual pages are available for both
Source
debian
, requires autotools)Build debian packages
git clone git://gareus.org/liboauth cd liboauth git branch upstream #make maintainer-clean git-buildpackage #make check cd .. && sudo dpkg -i liboauth*.deb git clone git://gareus.org/oauth-utils cd oauth-utils git branch upstream #make maintainer-clean git-buildpackage #make check # connects to http://term.ie/oauth/example ! cd .. && sudo dpkg -i oauth-utils*.deb
Both oauthsign and oauthverify are documented in un*x manual pages. You may want to consult proof-read man oauth-utils
as well.
usage examples
perform requests with fixed tokens
oauthsign -c consumer-key -C "" -t access-token -T token-secret 'http://example.org/?do=admin' oauthsign -X -d "do=requesttoken" 'http://example.org/' consumer-key ""
debug oAuth parameters - print oauth base-string:
oauthsign -b -c consumer-key -C "" -t access-token -T token-secret 'http://example.org/?do=admin'
test server walk-through
see also example.sh
below.
Get a request-token for the consumer key
with consumer-secret secret
from the server and save it to /tmp/test.oaf
:
oauthsign -X -f /tmp/test.oaf -w -e -c key -C secret http://term.ie/oauth/example/request_token.php
Exchange this request-token for an access token and replace the token+secret in /tmp/test.oaf
:
oauthsign -X -f /tmp/test.oaf -w http://term.ie/oauth/example/access_token.php
Perform some requests with the consumer and access token/secrets in same file:
oauthsign -x -f /tmp/test.oaf "http://term.ie/oauth/example/echo_api.php?method=foo%20bar&bar=baz" oauthsign -x -f /tmp/test.oaf -d method=foo%20bar -d "bar=baz &test%" --post http://term.ie/oauth/example/echo_api.php
output of oauthsign –help
oauthsign - command line utilities for oauth Usage: ./src/oauthsign [OPTION]... URL [CKey] [CSec] [TKey] [Tsec] Options: -h, --help display this help and exit -V, --version output version information and exit -q, --quiet, --silent inhibit usual output -v, --verbose print more information --no-warn dont print any warnings. -b, --base-string print OAuth base-string and exit -B, --base-url print OAuth base-URL and exit -r, --request <type> HTTP request type (HEAD, PUT, POST, GET [default],..) -p, --post same as -r POST -d, --data <key>[=<val>] add url query parameters. -m, --signature-method <m> oauth signature method (PLAINTEXT, RSA-SHA1, HMAC-SHA1 [default]) -c, --CK, --consumer-key <text> -C, --CS, --consumer-secret <text> -t, --TK, --token-key <text> -T, --TS, --token-secret <text> -a, --callback <url> specify oauth_callback url (or 'oob') // 1.0 Rev A -A, --verifier <text> specify oauth_verifier // 1.0 Rev A -f, --file <filename> read tokens and secrets from config-file -w write tokens to config-file -F <filename> set config-file name w/o reading the file. -x make HTTP request and return the replied content -X make HTTP request and parse the reply for tokens use '-X -w' to request and store tokens. --dry-run take no real actions (with -x, -w or -X) -e, --erase-tokens clear [access|request] tokens. -E, --erase-all wipe all tokens and reset method to HMAC-SHA1. --erase-consumer-key unset consumer-key --erase-consumer-secret unset consumer-secret --erase-token-key unset token-key --erase-token-secret unset token-secret The position of parameters -d, -f, -F, -e, -E and all tokens matters! Tokens are read from file at the moment the -f option is parsed overriding the current value(s). Optional trailing key/secret params are parsed last. eg. '-f config.txt -e -C secret -F out.txt -w' reads the settings from file, then deletes the access/request tokens and finally overrides the consumer- secret. Only the consumer-key is left from config.txt and will be saved to out.txt along with the new secret. If -X is given and the HTTP request succeeds, the received token and secret will be stored as well. The request URL is constructed by first parsing all query-parameters from the URL; then -d parameters are added, and finally oauth_XYZ params appended.
doc/example.sh from oauth-utils
#!/bin/bash
CONFIGFILE=${1:-"./oauthconf"}
OAUTHSIGN=./src/oauthsign
if ! test -x $OAUTHSIGN; then
OAUTHSIGN=../src/oauthsign
fi
if ! test -x $OAUTHSIGN; then
OAUTHSIGN=$(which oauthsign)
fi
if ! test -x $OAUTHSIGN; then
echo " oauthsign executable not found."
exit 1
fi
# default config
OPT=""
CONKEY="key"
CONSEC="secret"
BASEURL="http://term.ie/oauth/example/"
DOPARAM=""
RQT="request_token.php"
ACT="access_token.php"
#AUT="authenticate.php?"
TST="echo_api.php"
TSQ="?method=foo%20bar&bar=baz"
#TODO: make these into config files and different tests.
if [ 1 == 0 ]; then # test PLAINTEXT signature
OPT="-m PLAINTEXT"
elif [ 1 == 0 ]; then # test RSA-SHA1 signature
# NOTE: the way RSA-keys are passed to oauthsign
# will change in the future.
# so far oauthsign want a public key as CONSUMER SECRET
# and oauthverfiy expects a private key..
OPT="-v -m RSA-SHA1"
CONSEC="-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALRiMLAh9iimur8V
A7qVvdqxevEuUkW4K+2KdMXmnQbG9Aa7k7eBjK1S+0LYmVjPKlJGNXHDGuy5Fw/d
7rjVJ0BLB+ubPK8iA/Tw3hLQgXMRRGRXXCn8ikfuQfjUS1uZSatdLB81mydBETlJ
hI6GH4twrbDJCR2Bwy/XWXgqgGRzAgMBAAECgYBYWVtleUzavkbrPjy0T5FMou8H
X9u2AC2ry8vD/l7cqedtwMPp9k7TubgNFo+NGvKsl2ynyprOZR1xjQ7WgrgVB+mm
uScOM/5HVceFuGRDhYTCObE+y1kxRloNYXnx3ei1zbeYLPCHdhxRYW7T0qcynNmw
rn05/KO2RLjgQNalsQJBANeA3Q4Nugqy4QBUCEC09SqylT2K9FrrItqL2QKc9v0Z
zO2uwllCbg0dwpVuYPYXYvikNHHg+aCWF+VXsb9rpPsCQQDWR9TT4ORdzoj+Nccn
qkMsDmzt0EfNaAOwHOmVJ2RVBspPcxt5iN4HI7HNeG6U5YsFBb+/GZbgfBT3kpNG
WPTpAkBI+gFhjfJvRw38n3g/+UeAkwMI2TJQS4n8+hid0uus3/zOjDySH3XHCUno
cn1xOJAyZODBo47E+67R4jV1/gzbAkEAklJaspRPXP877NssM5nAZMU0/O/NGCZ+
3jPgDUno6WbJn5cqm8MqWhW1xGkImgRk+fkDBquiq4gPiT898jusgQJAd5Zrr6Q8
AO/0isr/3aa6O6NLQxISLKcPDk2NOccAfS/xOtfOz4sJYM3+Bs4Io9+dZGSDCA54
Lw03eHTNQghS0A==
-----END PRIVATE KEY-----"
fi
# read config file - override above settings
if [ -e $CONFIGFILE ]; then
. $CONFIGFILE
fi
echo " --- oauthsign test and example"
echo " --- connecting to $BASEURL"
TOKENFILE=`mktemp /tmp/oauth.XXXXXXXXXX` || exit 1
function cleanup {
rm $TOKENFILE
}
trap cleanup EXIT
echo " +++ getting request token.."
$OAUTHSIGN -X $OPT -f $TOKENFILE -w -e -c "$CONKEY" -C "$CONSEC" \
"${BASEURL}${DOPARAM}${RQT}" \
|| ( echo " !!! no request token returned."; exit 1;) || exit 1;
if [ -n "$AUT" ]; then
REQTOK=$(cat $TOKENFILE | awk '/oauth_token_key=(.*)/{ print substr($1,17);}')
echo " +++ Authorization."
echo "visit: ${BASEURL}${DOPARAM}${AUT}&oauth_token=${REQTOK}"
echo -n "to authorize this request token and press enter.."
read
echo
fi
echo " +++ exchanging request token for access token"
$OAUTHSIGN -X $OPT -f $TOKENFILE -w --quiet "${BASEURL}${DOPARAM}${ACT}" \
|| ( echo " !!! token exchange failed"; exit 1;) || exit 1;
echo " +++ making test request.."
$OAUTHSIGN -x $OPT -f $TOKENFILE "${BASEURL}${TST}${TSQ}" \
|| ( echo " !!! test request failed"; exit 1;) || exit 1
#echo " +++ and another one with parameter-arrays"
#$OAUTHSIGN -x -f $TOKENFILE -d "foo=bar bar" \
# -d 'bar[1]=foo&%bar' -d 'bar[0]=bar#+b a r' --post \
# "${BASEURL}${TST}" \
# || ( echo " !!! test request failed"; exit 1;) || exit 1
exit 0
Note: As shown in above example RSA-keys can currently be given instead of a consumer-secret (public-key for oauthsign
, private-key for oauthverify
). This is going to change. Future versions may use –rsa-private
, –rsa-public
and also provide for reading the key from file.
oauthverify is the counter-part and very similar to oauthsign: It parses all request-parameters (those appended to the URL after a '?' and the ones given to oauthverify with -d
command line option) one of which must be the oauth_signature to verify.
To recalculate the signature the consumer (and token) secrets must be specified (fi. -C
and -T
) or read from file. If a consumer-key, token-key or signature-method is set (eg. -c
or -t
, -m
), they're required to match the ones in the parsed request-parameters. You can use –erase-consumer-key
etc. to relax such a requirement when reading tokens along with the secrets from a file.
If the signature is correct and if the consumer/token key matches the given parameters (if any) oauthverify exits with a status code indicating success and prints the parsed request-parameters formatted as POST parameters (more output options to come: –print0
or -0
, JSON is the contender)
Note that oauthverify does not keep track of consumers, token-mappings, timestamps and nonce (never more than once) identifiers. If the signature matches it prints them for others to use.
oauthverify -C secret `oauthsign -c key -C secret http://example.org`
oauthsign
, oauthverify
and an example shell script. other utils eg. oauthrawpost
are in the making. see also mediamatic-picnic OAuth tools