I got an email from rabble overnight asking for some quick notes about our consensus on OAuth + XMPP from yesterday's discussion at the XMPP Summit, so here goes...
Scenario: I want my Twhirl client to receive Kellan's tune stream from last.fm via XMPP.
My Twhirl client asks last.fm for an OAuth token.
If last.fm considers me a friend of Kellan's, it grants a token.
My Twhirl client sends an XMPP pubsub subscription request to last.fm, with appropriate OAuth bits:
<iq type='set'
from='random-id@twhirl.org'
to='last.fm'
id='sub1'>
<pubsub xmlns='http://jabber.org/protocol/pubsub'>
<subscribe jid='random-id@twhirl.org'
node='/music/Kellan+Elliott-McCrea'/>
<oauth xmlns='urn:xmpp:oauth'>
<oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key>
<oauth_token>ad180jjd733klru7</oauth_token>
<oauth_signature_method>PLAINTEXT+HMAC-SHA1>/oauth_signature_method>
<oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature>
</oauth>
</pubsub>
</iq>
Where oath_signature is:
sign(consumer key,consumer secret,token,token secret)
If the token and signature are verified, access is granted.
Whee, I receive real-time last.fm updates in my Twhirl client!
I'll be updating XEP-0235 along these lines later today, but I might not get those revisions done before rabble's talk at 11:30. :)