(Migrated) OAuth 1.0 HTTP channels

(This message has been automatically imported from the retired mailing list)

Hi there,

I’ve recently pushed a feature to GitHub master that will let one secure
HTTP channels using OAuth 1.0 credentials.

This doesn’t implement the full OAuth 1.0 protocol - just the bits that
are needed to invoke a channel using a consumer key and secret pair that
was previously agreed upon.

It can be thought as an alternative to HTTP Basic Auth that additionally
signs the requests using HMAC-SHA1.

What Zato does:

  • Validates credentials
  • Validates the signature is correct
  • Checks that the nonce wasn’t reused (can be configured to store last N
    nonces)
  • Checks that the consumer with that given key is allowed to invoke a
    particular service

Its complementary part, OAuth outgoing HTTP connections, will be added
before releasing 1.2.

It won’t implement full OAuth 1.0 either, just to the extent described
above but in the other direction - for outgoing HTTP connections
Zato-based services establish.