Access to social networking web sites via OAuth, part 1th

Build a desktop Twitter client that supports OAuth

OAuth is an open protocol that enables users to share their protected resources among different Web sites without worrying about the risk of a leak. OAuth is ideal for mixing up today's social networking web sites, such as Twitter. The first part of this series will introduce OAuth, as well as an example of developing a desktop Twitter client that supports OAuth. The second part of this series will demonstrate how to develop a WEB Twitter client that supports OAuth. Web Twitter clients that support OAuth will be migrated to the Google App Engine (GAE), which will be introduced in the third and final installment of this series.

Social networks are widely used by people around the world. More and more people are using Web sites such as Facebook and Twitter, but unfortunately, these web sites are like islands scattered across the vast ocean, and it's hard to communicate between them. Although many sites provide APIs to expose some data, mashup sites cannot be extended to aggregate such web sites. For example, to provide a better user experience, you need to manage user accounts for different Web sites, and some level of single sign-on is required. Users may be reluctant to provide their own passwords to Third-party Web sites.

This series of articles describes Oauth,oauth as an open protocol that enables users to share their private data and credentials on different Web sites, but only exposes data in the original web site that owns the data. The first article describes OAuth, and a sample desktop application that enables users to update their Twitter status using OAuth. Part 2nd of this series will demonstrate how to develop a more practical, support OAuth Twitter WEB client. The last article shows how to deploy the WEB application developed in part 2nd to the Google app Engine (GAE).

To understand this article, you should be familiar with using java™servlet/jsp for WEB development. Apache Tomcat has been chosen as a Web container, and all development work has been done using Eclipse. However, you should be able to adapt the information provided in this article to fit the tools that you like. Note that the compiled source code requires JDK 5+.

OAuth Introduction

The OAuth protocol enables users to share private resources stored in a Web site with other sites without disclosing user credentials-for example, user names and passwords-to sites other than Web sites that have user data. A Web site with OAuth as one of the authentication protocols enhances the privacy and security of users. There are 3 main roles in OAuth: Users, consumers, and service providers. The typical OAuth scenario is described below.

OAuth main role

User: An individual with a service provider account.

Consumer: A Web site or application that uses OAuth to access a service provider.

Service provider: A WEB application that allows access through OAuth.

The Web site PHOTO (service provider) has some personal photos of users (users), but this site does not offer print services. So when a user wants to print his or her own photo, he/she may want to go to the Web site PRINTER (the consumer), which provides a print service. But the web site PRINTER has no user's photos, so there is bound to be data flow between the Web site PHOTO and PRINTER. At this point, we need to use the OAuth. If the site PHOTO supports authentication using OAuth, the site PRINTER redirects users to the site PHOTO to give them permission to access photos when they want to print a photo (stored on a site PHOTO). At this point, the user may authenticate using a regular username-password pair. When the site PHOTO authenticates the user, he/she may be prompted to authorize the site PRINTER read the photos. (Permission permissions may be preset to skip this step.) After this step is completed, the user is redirected to the site PRINTER. Now the site PRINTER has permission to read photos from the site PHOTO, and can print users ' photos on demand. In all steps, the site PRINTER does not know the credentials of the user to log on to the site PHOTO. This is a good way to protect the privacy of users. Figure 1 illustrates the above process in a simple sequential flowchart.

Figure 1. OAuth interactions between users, consumers, and service providers

OAuth Core 1.0 was finalized at the end of 2007. When writing this article, the latest version is 1.0a, which fixes a security issue in this release that is related to session fixed attacks on the OAuth request token approval process. Today OAuth has been adopted by major Internet companies such as Google and Yahoo.