2-legged OAuth

Hi Manuel, excellent class!

Is it possible to use it in a 2-legged scenario:
- Client has got credentials client-id and client_secret
- Client uses his client credentials (and empty token credentials)
to access the protected resources on the server

So token should be left empty to signal this is a 2-legged authentication.

Could you briefly summarize variable setup and sequence of methods to call?

The server I need to access uses this OAuth protocl

Many thanks!
Francesco

I am not sure what you are asking.

If you look at the existing login example scripts, they seem to do what you want because that is the way the OAuth protocol works.

The class redirects the user to the server site to get permissions.

The user is redirected back to the script with some information to get the access token.

The class stores the token so it can be used to make API calls.

If you run the script next time, the class fetches the token from your server storage. So it does not go through the process of obtaining the authorization again until the token expires.

In the case the class uses sessions to store tokens. Real applications should override the class GetAccessToken and StoreAccessToken functions to use different kind of store, say a database table instead of sessions.

From then on, you can make API calls using the CallAPI function instead of going through the Process function again.

Just let me know if this clarifies your doubts.

Basically I am referring to this scenario:

oauth.googlecode.com/svn/spec/ext/c ...

Where there is no token, and we are just producing an oauth_signature based on the Signature Base String (which is the normalized http(s) string).

It is a very simple scenario, very similar to a username/password authentication, with just the signature added, so the password is not in clear.

Would your class support this?

Thanks!

That is what the CallAPI function is for. It can send requests to the server API without the user presence.

Thanks Manuel!

There are a few minor changes required to have the CallAPI function work in my scenario:
- it should accept an empty token
- a response of content type text/plain should not be sent through parse_str() but the response data passed through "as is"
- as a response I get a resource uri, together with a 303 status, what I should do then is redirect to the uri to get the content. To do this I had to accept 303 as a valid status instead of error

Once implemented these changes, the class works perfectly!!

Don't know if you would like to incorporate them as optional

Francesco

This is odd. If you do not need the access token, this is just a regular HTTP request that has nothing to do with OAuth.

You can just use the HTTP client class directly and it will do everything you want without having to adjust the OAuth class.

Yes that makes sense. The reason I use OAuth is because I need an oauth_signature, and your class easily creates one.

That is odd. I never seen a service that needs a signature but does not require an access token.

I will add some options to allow that case and also handle redirection.

Great! That would be nice! My scenario is exactly represented by the above article:
oauth.googlecode.com/svn/spec/ext/c ...

I just uploaded a new version that supports redirection with the option FollowRedirection and 2 legged requests with the option 2Legged .

Since I do not know any API that requires this, I was not able to test it for real. Just let me know if this works for you.