Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding oAuth with Perl

Tags:

oauth

perl

yammer

i have a problem making simple API request to the Yammer (https://www.yammer.com/api_doc.html). I need to get https://www.yammer.com/api/v1/groups.xml (Groups: A list of groups).

I'm trying to use Net::OAuth::Simple. Here is my Yammer.pm:

package Yammer;
use strict;
use base qw(Net::OAuth::Simple);
sub new {
    my $class  = shift;
    my %tokens = @_;
    return $class->SUPER::new( tokens => \%tokens, 
        urls   => {
             authorization_url => "https://www.yammer.com/oauth/authorize",
             request_token_url => "https://www.yammer.com/oauth/request_token",
             access_token_url  => "https://www.yammer.com/oauth/access_token",
        },
        protocol_version => '1.0a',
    );
}
sub view_restricted_resource {

    my $self = shift;
    my $url  = shift;
    return $self->make_restricted_request( $url, 'GET' );
}
sub update_restricted_resource {

    my $self         = shift;
    my $url          = shift;
    my %extra_params = @_;
    return $self->make_restricted_request($url, 'POST', %extra_params);    
}

1;

And here is my main program:

use Yammer;

# Get the tokens from the command line, a config file or wherever 
my %tokens  = (

    consumer_key => 'Baj7MciMhmnDTwj6kaOV5g',
    consumer_secret => 'ejFlGBPtXwGJrxrEnwGvdRyokov1ncN1XxjmIm34M',
    callback => 'https://www.yammer.com/oauth/authorize',

); 
my $app     = Yammer->new(%tokens);
# Check to see we have a consumer key and secret
unless ($app->consumer_key && $app->consumer_secret) {
    die "You must go get a consumer key and secret from App\n";
} 

# If the app is authorized (i.e has an access token and secret)
# Then look at a restricted resourse
if ($app->authorized) {
    my $response = $app->view_restricted_resource;
    print $response->content."\n";
    exit;
}
# Otherwise the user needs to go get an access token and secret
print "Go to " . $app->get_authorization_url( callback => 'https://www.yammer.com/oauth/authorize?rand=' . rand() ) . "\n";
print "Then hit return after\n";
<STDIN>;
my ($access_token, $access_token_secret) = $app->request_access_token($_);

I'm getting messages like

Go to https://www.yammer.com/oauth/authorize?oauth_token=2sxBkKW1F1iebF2TT5Y7g&callback=https%3A%2F%2Fwww.yammer.com%2Foauth%2Fauthorize%3Frand%3D0.0045166015625

And authorizing application on this URL. After that i see message like:

You have successfully authorized the following application: 2GIS_yammer

To complete the authorization go back to the 2GIS_yammer application and enter the following code:

869A

But what next? Where i must enter this number? How to perform request i need?

Thanks. Roman

like image 696
gangabass Avatar asked Mar 09 '11 12:03

gangabass


1 Answers

probably the number that you get after the authorization step is the oauth_verifier string that needs to be sent along with REQUEST token in order to get ACCESS token.

This is mandatory part of oAuth 1.0a implementations (which I think is the most common implementation used now, because 2.0 is still a draft and there aren't many libraries that implement it).

I guess that you don't send callback URL to the provider, and he doesn't know where to redirect the user after authorization. When the provider doesn't know a callback URL, he cannot redirect the user back to your (consumer) application. In that case the specification says that it should print the verifier string on the screen, so you (the user) can take it manually and give it to your (consumer) application , and so to build the request for ACCESS TOKEN.

If you DO provide callback URL (in your first request for REQUEST token), then most probably you will not get the screen with this number, but instead, you (the user) will be redirected to the callback URL with it automatically.

E.g. if your callback url is: http://myapp.com/oauth/callback, then the provider will redirect the user to your callback url with proper values in the query string.

redirect: http://myapp.com/oauth/callback?oauth_token=xxxx&oauth_verifier=yyyy

Then your application should take the verifier string and add it as a parameter to the request for ACCESS TOKEN (as you have done previously with the other parameters like nonce, timestamp, oauth_token, etc.)

As a response to this last request (with oauth_verifier string included) you should get ACCESS TOKEN.

Here is a good explanation about the oauth_verifier string and why it was introduced in the protocol: http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/

like image 132
luben Avatar answered Sep 28 '22 06:09

luben