OAuth process in a Jaggery Application

Introduction

JaggeryJS can be introduced as a “a framework to write webapps and HTTP-focused web services for all aspects of the application: front-end, communication, Server-side logic and persistence in pure Javascript” [1]. Many web applications will not be a standalone ones, instead they tend to exchange data with available online services. The first step of accessing an external services is authorizing. Many external service providers do recommend to use libraries written to access their services. But for JaggeryJS you won’t find such things. Therefore in this article I’m going to show you how to complete authorizing part of connecting to external service.

For this example I’m using Twitter as the external service. Additionally I assume that you have basic knowledge in creating a Jaggery Application. At the end of this process you will receive an Access Token and an Access Secret, which authorize you to call Twitter API methods.

OAuth process

For this example, I’ve selected Twitter OAuth 1.0a process. The data-flow diagram of the overall process can be seen as follows.

twitter-oauth-flow

As depicts in the diagram flow can be mainly categorized in to 3 sections:
1. Obtain Request Token
2. User authorizes Request Token
3. Exchange Request Token for Access Token
The same process can take variety of ways and different Service Providers may require different parameters in requests. OAuth 2.0 also closely follow this flow but can be differ depending on the Service Provider.

Registering App

As the first step, you need to register the app you wish to create. At their you need to mention what things you are going to do and app related details.
1. Login to Twitter account
2. Go to the Twitter applications page at https://dev.twitter.com/apps and click Create a new application.
3. Fill the application related details and make a note of “Consumer Key (API Key)” and “Consumer Secret (API Secret)” under “Keys and Access Tokens” tab.

twitter_app

4. Add twitter certificate to client-truststore.jks. For this you need to go to ‘ https://api.twitter.com/oauth2/token ‘ and save the certificate. Then execute the following keytool command :

 keytool -importcert -file <certificate file> -keystore <JaggeryLocation>/repository/resources/security/client-truststore.jks -alias "TwitterTrustCertImport"

(This is only require once to avoid from error: SSLHandshakeException – unable to find valid certification path to requested target )

Now you are done with the first step!

Creating the Jaggery Application

According to the assumption I made, basic steps of creating a Jaggery app is omitted here. Also for this I’m using “oauth.jag” file which can be accessed via ‘ http://127.0.0.1/myapp/oauth ‘ (Hint: should be done via jaggery.conf file). Code resides in oauth.jag file can be divided into sections as follows.


// To use oauth module in Jaggery
var oauth = require('oauth');

// To log content
var log = new Log();

// Config object for OAuthProvider
var configs = {
	'oauth_version'     : '1',
	'authorization_url' : 'https://api.twitter.com/oauth/authorize',
	'access_token_url'  : 'https://api.twitter.com/oauth/access_token',
	'request_token_url' : 'https://api.twitter.com/oauth/request_token',
	'api_key'           : 'YOUR_API_KEY',
	'api_secret'        : 'YOUR_API_SECRET',
	'callback_url'	    : 'http://127.0.0.1/myapp/oauth'
};

// The request coming to the page check for parameter 'oauth_verifier' (this name can be vary depending on Service Provider)
// If not, consider it as to get a new Access Token - inside if block
// If it presents, consider it as the request coming after getting user authorizing - inside else block
if(!request.getParameter('oauth_verifier')) {

        // Create a new OAuthProvider using the config
	var oauthService = new oauth.OAuthProvider(configs);

        // Get Authorizing url (Obtaining Request Token is automatically handled by inside)
	var authUrl = oauthService.getAuthorizationUrl();

        // Put 'oauthService' object in to session as a preparation for redirection
	session.put('oauth_service', oauthService);

        // Redirect to authorize url, so that user now gets a button to Authorize the app
	response.sendRedirect(authUrl);

}
else{

        // Take-out the 'oauthService' object saved in the session
	var oauthService = session.get('oauth_service');

        // Take the 'oauth_verifier' parameter from the request received
	var verifier = request.getParameter('oauth_verifier');

        // Exchange the user authorized Request Token for Access Token, also need to send verifier too
	var auth_token = oauthService.getAccessToken(verifier);

	// Log token received
 	log.info('Token  : ' + auth_token.token);
 	log.info('Secret : ' + auth_token.secret);

        // Additionally, calling verify_credentials using the received Access Token and Access Secret
	var twitterresponse = oauthService.sendOAuthRequest(auth_token, 'GET', 'https://api.twitter.com/1/account/verify_credentials.json');

}

Special Note

The above example is not the same mentioned in the JaggeryJS documentation [2]. As you can see, there’s an additional property ‘callback_url’ is added to config object. This helps you to avoid Out-Of-Band (oob), which is the default way of authorizing. However for this is not supported by the current released version of JaggeryJS and, you need to patch oauth plugin with the PR : https://github.com/wso2/jaggery-extensions/pull/9 .
By removing ‘callback_url’, you can switch to oob mode. But you need to find some method to send Access Token request along with the pin number you get.
Also you should be aware that when calling-back to oauth.jag, you should not violate ip address. Otherwise you will not be able to get ‘oauthService’ object which get stored in the session.

Special thanks goes to WSO2 ES team for helping to overcome issues faced.

References

[1] Jaggery documentation – http://jaggeryjs.org/documentation.jag
[2] OAuth in Jaggery – http://jaggeryjs.org/documentation.jag?api=oauth
[3] Twitter Developer Documentation – https://dev.twitter.com/overview/documentation

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s