Quick OAuth Notes

2008-07-23

I got an email from rabble overnight asking for some quick notes about our consensus on OAuth + XMPP from yesterday's discussion at the XMPP Summit, so here goes...

Scenario: I want my Twhirl client to receive Kellan's tune stream from last.fm via XMPP.

  1. My Twhirl client asks last.fm for an OAuth token.

  2. If last.fm considers me a friend of Kellan's, it grants a token.

  3. My Twhirl client sends an XMPP pubsub subscription request to last.fm, with appropriate OAuth bits:

    <iq type='set'
        from='random-id@twhirl.org'
        to='last.fm'
        id='sub1'>
      <pubsub xmlns='http://jabber.org/protocol/pubsub'>
        <subscribe jid='random-id@twhirl.org'
                   node='/music/Kellan+Elliott-McCrea'/>
        <oauth xmlns='urn:xmpp:oauth'>
          <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key>
          <oauth_token>ad180jjd733klru7</oauth_token>
          <oauth_signature_method>PLAINTEXT+HMAC-SHA1>/oauth_signature_method>
          <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature>
        </oauth>
      </pubsub>
    </iq>
    

    Where oath_signature is:

    sign(consumer key,consumer secret,token,token secret)

  4. If the token and signature are verified, access is granted.

  5. Whee, I receive real-time last.fm updates in my Twhirl client!

I'll be updating XEP-0235 along these lines later today, but I might not get those revisions done before rabble's talk at 11:30. :)


Peter Saint-Andre > Journal