[Twisted-Python] Implementing OAuth in twisted.cred

Laurens Van Houtven lvh at laurensvh.be
Sat Jul 3 15:19:18 EDT 2010


Hi!


For those who don't know what OAuth is; the Wikipedia definition is
pretty good: "OAuth (Open Authorization) is an open standard that
allows users to share their private resources (e.g. photos, videos,
contact lists) stored on one site with another site without having to
hand out their username and password." It is currently being used by
big names like Google, Facebook, and Twitter. There's a number of ways
it can do this; the current draft RFC is here:
http://tools.ietf.org/html/rfc5849 . The "Example" section is short
and a recommended read.

A number of people have tried to implement it in Twisted. AFAICT most
of them just use oauth.py. That uses urllib. Basically I guess it just
crosses its fingers and hopes that the OAuth API endpoints will always
be reachable and responsive. (I have been told this is completely
unrealistic.)

Thankfully, the OAuth spec is asynchronous in nature. I'm trying to
implement OAuth using twisted (specifically twisted.cred and
twisted.web) to promote code re-use.

In order to do the authentication OAuth relies on redirection (in most
use cases, this is HTTP redirection), which would be protocol
specific. I'm not sure how twisted.cred fits into this since it
appears to expect everything beyond the portal to be
protocol-agnostic.

I'm not sure what the credentials would be.

If I understand correctly the avatar would be the thing that has the
token credentials (for those who haven't read the OAuth spec, "token
credentials" are an OAuth thing, and not necessarily the credentials
in the twisted.cred sense); it represents a single authenticated
transaction (which might consist of many authenticated requests). This
takes care of steps 6 7 and 8 in
http://twistedmatrix.com/documents/current/core/img/cred-login.png.

The strange bits start in the CredentialsChecker, since credentials
are checked by someone else entirely.

I really don't understand the Mind, but it sounds like something that
might be required in the context of a three-actor auth system like
OAuth.

I would be really grateful if someone who actually understood
twisted.cred (and hopefully also OAuth) could shed some light on this.

Thanks in advance
Laurens



More information about the Twisted-Python mailing list