Function to generate OAuth Signature

Hi,

Thank you for the lib. Saved me lots of time and headache. I have a suggestion to make it even more powerful.

My scenario is that I would like to make authenticated API calls from javascript/ajax. However, I cannot expose the client key or secret (I think many people don't want to do that!).

That said, it would be nice if I could send an AJAX call with the params I need to a PHP function that calls a method in our lib to generate and return the oauth signature.

With that signature, I can make calls directly via Javascript without exposing any sensitive information.

How is this useful? With this function you can call heavy API functions such as uploads without going through your own web server. It's Client -> API Server.. direct.

I've looked at the code to try to do this. But I think that you might make a cleaner refactor.

Thanks

Kim

That is a bit odd.

If you want to call the PHP code on the server to get a OAuth signature, why don't you just make PHP do the OAuth server API calls you need and just return the results to the browser in your AJAX response? It seems to be faster and more secure to do it that way.

Manuel,

Haha yes it may seem odd at first. And yes you are correct that for the most part I can just use PHP to make the API calls directly and return the JSON or whatever results I need.

The use of this abstraction is for when we need to make heavy API calls such as file uploads. Typically the file data does not need to be signed and hence there is no reason to send file data (potentially 10/20 MB or if video could be 400-500MB) over the wire to our webserver when it can be sent directly from the client browser to the API server.

Essentially we can cut traffic/upload time and web server bandwidth by doing:

Client => Web Server (Params) => Client (receive Sig) => API (Sig + File Data)

Rather than

Client => Web Server (Params + File Data) => API (Sig + FileData)

Does that make sense?

Thanks

Kim

Manuel,

Can you give me some ideas where to start refactoring the code so that I can get a method just to generate the signature?

When I look at oauth_client->Process there seems to be a lot more than sig gen. The sig gen part is also quite involved... having code to treat files and also remove file parameters.... do you think this should be inside the refactored method so that old method of transferring files will still work?

Or you think the new method should not care about that and we need to make sure Process() removes the file params first?

Thanks for your thoughts!

Kim

I see. I tried to think in the past of how send OAuth requests via JavaScript but I could not figure a solution that would not expose your application client id and secret to the user with the browser, so he cannot abuse of your application.

Anyway, I moved the OAuth 1 signature code to a undocumented function named Sign() if that is useful for you. It still needs lots of parameters derived from the API call context but at least now it is isolated.

Oh thanks! Yes security is an issue.
I'll look at the code!

Thanks

Kim