Quick OAuth Notes


I got an email from rabble overnight asking for some quick notes about our consensus on OAuth + XMPP from yesterday's discussion at the XMPP Summit, so here goes...

Scenario: I want my Twhirl client to receive Kellan's tune stream from last.fm via XMPP.

  1. My Twhirl client asks last.fm for an OAuth token.

  2. If last.fm considers me a friend of Kellan's, it grants a token.

  3. My Twhirl client sends an XMPP pubsub subscription request to last.fm, with appropriate OAuth bits:

    <iq type='set'
      <pubsub xmlns='http://jabber.org/protocol/pubsub'>
        <subscribe jid='random-id@twhirl.org'
        <oauth xmlns='urn:xmpp:oauth'>

    Where oath_signature is:

    sign(consumer key,consumer secret,token,token secret)

  4. If the token and signature are verified, access is granted.

  5. Whee, I receive real-time last.fm updates in my Twhirl client!

I'll be updating XEP-0235 along these lines later today, but I might not get those revisions done before rabble's talk at 11:30. :)

Peter Saint-Andre > Journal