I got an email from rabble overnight asking for some quick notes about our consensus on OAuth + XMPP from yesterday's discussion at the XMPP Summit, so here goes...
Scenario: I want my Twhirl client to receive Kellan's tune stream from last.fm via XMPP.
My Twhirl client asks last.fm for an OAuth token.
If last.fm considers me a friend of Kellan's, it grants a token.
My Twhirl client sends an XMPP pubsub subscription request to last.fm, with appropriate OAuth bits:
<iq type='set' from='random-id@twhirl.org' to='last.fm' id='sub1'> <pubsub xmlns='http://jabber.org/protocol/pubsub'> <subscribe jid='random-id@twhirl.org' node='/music/Kellan+Elliott-McCrea'/> <oauth xmlns='urn:xmpp:oauth'> <oauth_consumer_key>0685bd9184jfhq22</oauth_consumer_key> <oauth_token>ad180jjd733klru7</oauth_token> <oauth_signature_method>PLAINTEXT+HMAC-SHA1>/oauth_signature_method> <oauth_signature>wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D</oauth_signature> </oauth> </pubsub> </iq>
Where oath_signature is:
sign(consumer key,consumer secret,token,token secret)
If the token and signature are verified, access is granted.
Whee, I receive real-time last.fm updates in my Twhirl client!
I'll be updating XEP-0235 along these lines later today, but I might not get those revisions done before rabble's talk at 11:30. :)