Library for OAuth Provider (Java) [closed]

Question

I'm looking for a Java library that helps me building an OAuth Provider. I must be able to receive OAuth signed requests and determine whether they are valid or not (checking the signature, timestamp and nonce values).

Do you know if there's something out there that makes this task easier?

Answer 1

Scribe is an OAuth library for Java, written by the asker himself. ;-)

Note: I post this here as an answer so that other googlers have a choice of alternatives. For another library-based alternative, see my other answer "Jersey OAuth signature library".

Some code to illustrate usage:

OAuthService service = new ServiceBuilder()                                   .provider(TwitterApi.class)                                   .apiKey("your_api_key")                                   .apiSecret("your_api_secret")                                   .build(); ... Token requestToken = service.getRequestToken(); String your_token = requestToken.getToken(); ... Verifier verifier = new Verifier("your_previously_retrieved_verifier");  Token accessToken = service.getAccessToken(requestToken, verifier); 

Creating the request:

OAuthRequest request = OAuthRequest(Verb.GET, "http://api.twitter.com/1/direct_messages.json"); service.signRequest(accessToken, request); Response response = request.send(); 

Answer 2

One library mentioned on http://oauth.net/code looks interesting (I'm excluding the OAuth for Spring Security and OAuth Signpost which are not what you're looking for):

A Java library and examples were contributed by John Kristian, Praveen Alavilli and Dirk Balfanz.

OAuth for Spring Security is also available, contributed by Ryan Heaton. This project is not hosted in the OAuth repository.

OAuth Signpost offers simple OAuth message signing for Java and Apache HttpComponents (Google Android ready!). Contributed by Matthias Kaeppler.

I've checked the Java library a bit further and I think that its providing everything required for client-side and server-side code. The following blog post has actually a full example and I'm pasting the server code below (a JSP):

<%@ page import="net.oauth.server.*"%> <%@ page import="net.oauth.*"%>  <% //Presumably this should actually be looked up for a given key. String consumerSecret="uynAeXiWTisflWX99KU1D2q5";  //Presumably the key is sent by the client. This is part of the URL, after all. String consumerKey="orkut.com:623061448914";  //Construct the message object. Use null for the URL and let the code construct it. OAuthMessage message=OAuthServlet.getMessage(request,null);  //Construct an accessor and a consumer OAuthConsumer consumer=new OAuthConsumer(null, consumerKey, consumerSecret, null); OAuthAccessor accessor=new OAuthAccessor(consumer);  //Now validate. Weirdly, validator has a void return type. It throws exceptions //if there are problems. SimpleOAuthValidator validator=new SimpleOAuthValidator(); validator.validateMessage(message,accessor);  //Now what? Generate some JSON here for example. System.out.println("It must have worked"); %>  

This looks close to what you want.