OAuth¶
Oauth library handles OAuth-1.0a and OAuth-2.0. It acts as a client.
- class Oauth.Client(opts)¶
- Arguments
opts (
object()
) – Client construction parameters
Options varies depending on target OAuth version.
Common options are:
version
"1.0"
or"2.0"
use_authorization_header
Whether to use request header rather than querystring encoding
http_transaction_factory
Transaction factory to use for authentication, and functional transaction creation.
authorization_url
URL pointing to authorization endpoint
access_token_url
URL pointing to access token endpoint
callback_url
URL pointing to callback endpoint, may be
"oob"
for out-of-band callback.access_token
Existing access token for session restoration
OAuth-1.0a options are:
request_token_url
URL pointing to request token endpoint
consumer_key
Consumer key, as given by service
consumer_secret
Consumer secret, as given by service
access_token_secret
Existing access token secret for session restoration
signature_method
Signature method to use, only “HMAC-SHA1” is supported by this client.
force_request_token_get
Quirk mode: Whether to force use of a GET transaction to retrieve the request token.
OAuth-2.0 options are:
client_id
Client id, as given by service
client_secret
Client secret, as given by service
body_client_authenticate
Whether to force in-body client_secret passing on access_token_url (instead of Authorization header). OAuth-2 says server MUST support Authorization: Basic header, but most servers don’t.
Example of use with a webview for user-interaction:
//Create a client var authz = new Oauth.Client({ version: ... ... });
Once client created, the API flow is exactly the same for v1 and v2:
// use a webview for client login WebView { id: login_view // Time passes, client authorizes application, we get callback // through an URL or a verifier. If solely a verifier (oob mode), // use verifier as URL. onUrlChanged: { if (url.indexOf(my_callback_url) == 0) { authz.authorizationCallbackHandle(url).then(function(data) { console.log("Client now authenticated !"); }); } } }
var permission = "abcde"; // Retrieve authorization URL for client authz.authorizationUrlQuery(permission).then(function (url) { console.log("Redirecting client to", url); login_view.url = url; });
Then, use client transaction factory to issue authorized API calls:
authz.http_transaction_factory({ url: "https://api.example.com/1.0/myresource/" }).send().then(function(response){ return response.jsonParse(); }).then(function(jsonResponse){ console.log(jsonResponse.data); });
Or user may use stacked HTTP Transaction factory provided by the instance to stack other libraries:
var jsonRpcClient = new JsonRpc.Client("https://api.example.com/jsonrpc.bf", [ 'my_scope.my_call', 'my_scope.my_other_call', ], { http_transaction_factory: authz.http_transaction_factory }); // Issue a OAuth-authenticated JSONRPC call jsonRpcClient.my_scope.my_call().then(function(response) { console.log(response); });
Client methods are:
- Oauth.Client.Oauth.Client.authorizationUrlQuery(scope, response_type)¶
- Arguments
scope (
string()
) – service-specific permissions to ask for.response_type (
string()
) – Oauth response type:"code"
(default) or"token"
.
- Returns
A
Deferred.Deferred()
returning an URL to point the client to for authorization.
- Oauth.Client.Oauth.Client.authorizationCallbackHandle(url)¶
- Arguments
url (
string()
) – URL the client got redirected to, or a verifier code.
- Returns
A
Deferred.Deferred()
resolved if authenticated.
- Oauth.Client.Oauth.Client.http_transaction_factory(args)¶
- Arguments
args (
object()
) – HTTP transaction factory arguments, seeHttp.Transaction.factory()
.
- Returns
An HTTP transaction with built-in authentication with the client credentials.
- Oauth.Client.Oauth.Client.resourceOwnerCredentialsQuery(username, password)¶
This call is OAuth-2.0 specific.
- Arguments
username (
string()
) – User namepassword (
string()
) – User password
- Returns
A
Deferred.Deferred()
resolved if OAuth client manages to authenticate user through its credentials.
This implements an optional part of OAuth-2.0 where OAuth client obtains an access token directly with user credentials. Most of the time, this is reserved for privileged clients.
- Oauth.Client.Oauth.Client.clientCredentialsQuery()¶
This call is OAuth-2.0 specific.
- Returns
A
Deferred.Deferred()
resolved if OAuth client manages to authenticate itself through its own credentials.
This implements an optional part of OAuth-2.0 where OAuth client obtains an access token directly for itself. Most of the time, this is reserved for privileged clients.
- Oauth.Client.Oauth.Client.refreshTokenQuery()¶
This call is OAuth-2.0 specific.
- Returns
A
Deferred.Deferred()
resolved when the token refreshing succeeded.
This renews the access token using the refresh token.
Returned
Deferred.Deferred()
yields optional data returned by the server with the access token.