1Net::OAuth(3) User Contributed Perl Documentation Net::OAuth(3)
2
6 Net::OAuth - OAuth 1.0 for Perl
7
9 # Web Server Example (Dancer)
10 # This example is simplified for illustrative purposes, see the complete code in /demo
12 # Note that client_id is the Consumer Key and client_secret is the Consumer Secret
14 use Dancer;
16 use Net::OAuth::Client;
17 sub client {
19 Net::OAuth::Client->new(
20 config->{client_id},
21 config->{client_secret},
22 site => 'https://www.google.com/',
23 request_token_path => '/accounts/OAuthGetRequestToken?scope=https%3A%2F%2Fwww.google.com%2Fm8%2Ffeeds%2F',
24 authorize_path => '/accounts/OAuthAuthorizeToken',
25 access_token_path => '/accounts/OAuthGetAccessToken',
26 callback => uri_for("/auth/google/callback"),
27 session => \&session,
28 );
29 }
30 # Send user to authorize with service provider
32 get '/auth/google' => sub {
33 redirect client->authorize_url;
34 };
35 # User has returned with token and verifier appended to the URL.
37 get '/auth/google/callback' => sub {
38 # Use the auth code to fetch the access token
40 my $access_token = client->get_access_token(params->{oauth_token}, params->{oauth_verifier});
41 # Use the access token to fetch a protected resource
43 my $response = $access_token->get('/m8/feeds/contacts/default/full');
44 # Do something with said resource...
46 if ($response->is_success) {
48 return "Yay, it worked: " . $response->decoded_content;
49 }
50 else {
51 return "Error: " . $response->status_line;
52 }
53 };
54 dance;
56
58 Net::OAuth provides a low-level API for reading and writing OAuth
59 messages.
60 You probably should start with Net::OAuth::Client.
62
64 OAuth is
65 "An open protocol to allow secure API authentication in a simple and
67 standard method from desktop and web applications."
68 In practical terms, OAuth is a mechanism for a Consumer to request
70 protected resources from a Service Provider on behalf of a user.
71 Please refer to the OAuth spec: <http://oauth.net/documentation/spec>
73 Net::OAuth provides:
75 · classes that encapsulate OAuth messages (requests and responses).
77 · message signing
79 · message serialization and parsing.
81 · 2-legged requests (aka. tokenless requests, aka. consumer
83 requests), see "CONSUMER REQUESTS"
84 Net::OAuth does not provide:
86 · Consumer or Service Provider encapsulation
88 · token/nonce/key storage/management
90
92 OAUTH MESSAGES
93 An OAuth message is a set of key-value pairs. The following message
94 types are supported:
95 Requests
97 · Request Token (Net::OAuth::RequestTokenRequest)
99 · Access Token (Net::OAuth::AccessTokenRequest)
101 · User Authentication (Net::OAuth::UserAuthRequest)
103 · Protected Resource (Net::OAuth::ProtectedResourceRequest)
105 · Consumer Request (Net::OAuth::ConsumerRequest) (2-legged / token-
107 less request)
108 Responses
110 · Request Token (Net::OAuth::RequestTokenResponse)
112 · Access Token (Net::OAuth:AccessTokenResponse)
114 · User Authentication (Net::OAuth::UserAuthResponse)
116 Each OAuth message type has one or more required parameters, zero or
118 more optional parameters, and most allow arbitrary parameters.
119 All OAuth requests must be signed by the Consumer. Responses from the
121 Service Provider, however, are not signed.
122 To create a message, the easiest way is to use the factory methods
124 (Net::OAuth->request, Net::OAuth->response, Net::OAuth->message). The
125 following method invocations are all equivalent:
126 $request = Net::OAuth->request('user authentication')->new(%params);
128 $request = Net::OAuth->request('user_auth')->new(%params);
129 $request = Net::OAuth->request('UserAuth')->new(%params);
130 $request = Net::OAuth->message('UserAuthRequest')->new(%params);
131 The more verbose way is to use the class directly:
133 use Net::OAuth::UserAuthRequest;
135 $request = Net::OAuth::UserAuthRequest->new(%params);
136 You can also create a message by deserializing it from a Authorization
138 header, URL, query hash, or POST body
139 $request = Net::OAuth->request('protected resource')->from_authorization_header($ENV{HTTP_AUTHORIZATION}, %api_params);
141 $request = Net::OAuth->request('protected resource')->from_url($url, %api_params);
142 $request = Net::OAuth->request('protected resource')->from_hash({$q->Vars}, %api_params); # CGI
143 $request = Net::OAuth->request('protected resource')->from_hash($c->request->params, %api_params); # Catalyst
144 $response = Net::OAuth->response('request token')->from_post_body($response_content, %api_params);
145 Note that the deserialization methods (as opposed to new()) expect
147 OAuth protocol parameters to be prefixed with 'oauth_', as you would
148 expect in a valid OAuth message.
149 Before sending a request, the Consumer must first sign it:
151 $request->sign;
153 When receiving a request, the Service Provider should first verify the
155 signature:
156 die "Signature verification failed" unless $request->verify;
158 When sending a message the last step is to serialize it and send it to
160 wherever it needs to go. The following serialization methods are
161 available:
162 $response->to_post_body # a application/x-www-form-urlencoded POST body
164 $request->to_url # the query string of a URL
166 $request->to_authorization_header # the value of an HTTP Authorization header
168 $request->to_hash # a hash that could be used for some other serialization
170 API PARAMETERS vs MESSAGE PARAMETERS
172 Net::OAuth defines 'message parameters' as parameters that are part of
173 the transmitted OAuth message. These include any protocol parameter
174 (prefixed with 'oauth_' in the message), and any additional message
175 parameters (the extra_params hash).
176 'API parameters' are parameters required to build a message object that
178 are not transmitted with the message, e.g. consumer_secret,
179 token_secret, request_url, request_method.
180 There are various methods to inspect a message class to see what
182 parameters are defined:
183 $request->required_message_params;
185 $request->optional_message_params;
186 $request->all_message_params;
187 $request->required_api_params;
188 $request->optional_api_params;
189 $request->all_api_params;
190 $request->all_params;
191 E.g.
193 use Net::OAuth;
195 use Data::Dumper;
196 print Dumper(Net::OAuth->request("protected resource")->required_message_params);
197 $VAR1 = [
199 'consumer_key',
200 'signature_method',
201 'timestamp',
202 'nonce',
203 'token'
204 ];
205 ACCESSING PARAMETERS
207 All parameters can be get/set using accessor methods. E.g.
208 my $consumer_key = $request->consumer_key;
210 $request->request_method('POST');
211 THE REQUEST_URL PARAMETER
213 Any query parameters in the request_url are removed and added to the
214 extra_params hash when generating the signature.
215 E.g. the following requests are pretty much equivalent:
217 my $request = Net::OAuth->request('Request Token')->new(
219 %params,
220 request_url => 'https://photos.example.net/request_token',
221 extra_params => {
222 foo => 'bar'
223 },
224 );
225 my $request = Net::OAuth->request('Request Token')->new(
227 %params,
228 request_url => 'https://photos.example.net/request_token?foo=bar',
229 );
230 Calling $request->request_url will still return whatever you set it to
232 originally. If you want to get the request_url with the query
233 parameters removed, you can do:
234 my $url = $request->normalized_request_url;
236 SIGNATURE METHODS
238 The following signature methods are supported:
239 · PLAINTEXT
241 · HMAC-SHA1
243 · HMAC-SHA256
245 · RSA-SHA1
247 The signature method is determined by the value of the signature_method
249 parameter that is passed to the message constructor.
250 If an unknown signature method is specified, the signing/verification
252 will throw an exception.
253 PLAINTEXT SIGNATURES
255 This method is a trivial signature which adds no security. Not
257 recommended.
258 HMAC-SHA1 SIGNATURES
260 This method is available if you have Digest::HMAC_SHA1 installed. This
262 is by far the most commonly used method.
263 HMAC-SHA256 SIGNATURES
265 This method is available if you have Digest::SHA installed.
267 RSA-SHA1 SIGNATURES
269 To use RSA-SHA1 signatures, pass in a Crypt::OpenSSL::RSA object (or
271 any object that can do $o->sign($str) and/or $o->verify($str, $sig))
272 E.g.
274 Consumer:
276 use Crypt::OpenSSL::RSA;
278 use File::Slurp;
279 $keystring = read_file('private_key.pem');
280 $private_key = Crypt::OpenSSL::RSA->new_private_key($keystring);
281 $request = Net::OAuth->request('request token')->new(%params);
282 $request->sign($private_key);
283 Service Provider:
285 use Crypt::OpenSSL::RSA;
287 use File::Slurp;
288 $keystring = read_file('public_key.pem');
289 $public_key = Crypt::OpenSSL::RSA->new_public_key($keystring);
290 $request = Net::OAuth->request('request token')->new(%params);
291 if (!$request->verify($public_key)) {
292 die "Signature verification failed";
293 }
294 Note that you can pass the key in as a parameter called 'signature_key'
296 to the message constructor, rather than passing it to the sign/verify
297 method, if you like.
298 CONSUMER REQUESTS
300 To send a request without including a token, use a Consumer Request:
301 my $request = Net::OAuth->request('consumer')->new(
303 consumer_key => 'dpf43f3p2l4k3l03',
304 consumer_secret => 'kd94hf93k423kf44',
305 request_url => 'http://provider.example.net/profile',
306 request_method => 'GET',
307 signature_method => 'HMAC-SHA1',
308 timestamp => '1191242096',
309 nonce => 'kllo9940pd9333jh',
310 );
311 $request->sign;
313 See Net::OAuth::ConsumerRequest
315 I18N
317 Per the OAuth spec, when making the signature Net::OAuth first encodes
318 parameters to UTF-8. This means that any parameters you pass to
319 Net::OAuth, if they might be outside of ASCII character set, should be
320 run through Encode::decode() (or an equivalent PerlIO layer) first to
321 decode them to Perl's internal character sructure.
322 OAUTH 1.0A
324 Background:
325 <http://mojodna.net/2009/05/20/an-idiots-guide-to-oauth-10a.html>
327 <http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html>
329 Net::OAuth defaults to OAuth 1.0 spec compliance, and supports OAuth
331 1.0 Rev A with an optional switch:
332 use Net::OAuth
334 $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A;
335 It is recommended that any new projects use this switch if possible,
337 and existing projects move to supporting this switch as soon as
338 possible. Probably the easiest way for existing projects to do this is
339 to turn on the switch and run your test suite. The Net::OAuth
340 constructor will throw an exception where the new protocol parameters
341 (callback, callback_confirmed, verifier) are missing.
342 Internally, the Net::OAuth::Message constructor checks
344 $Net::OAuth::PROTOCOL_VERSION and attempts to load the equivalent
345 subclass in the Net::OAuth::V1_0A:: namespace. So if you instantiate a
346 Net::OAuth::RequestTokenRequest object, you will end up with a
347 Net::OAuth::V1_0A::RequestTokenRequest (a subclass of
348 Net::OAuth::RequestTokenRequest) if the protocol version is set to
349 PROTOCOL_VERSION_1_0A. You can also select a 1.0a subclass on a per-
350 message basis by passing
351 protocol_version => Net::OAuth::PROTOCOL_VERSION_1_0A
353 in the API parameters hash.
355 If you are not sure whether the entity you are communicating with is
357 1.0A compliant, you can try instantiating a 1.0A message first and then
358 fall back to 1.0 if that fails:
359 use Net::OAuth
361 $Net::OAuth::PROTOCOL_VERSION = Net::OAuth::PROTOCOL_VERSION_1_0A;
362 my $is_oauth_1_0 = 0;
363 my $response = eval{Net::OAuth->response('request token')->from_post_body($res->content)};
364 if ($@) {
365 if ($@ =~ /Missing required parameter 'callback_confirmed'/) {
366 # fall back to OAuth 1.0
367 $response = Net::OAuth->response('request token')->from_post_body(
368 $res->content,
369 protocol_version => Net::OAuth::PROTOCOL_VERSION_1_0
370 );
371 $is_oauth_1_0 = 1; # from now on treat the server as OAuth 1.0 compliant
372 }
373 else {
374 die $@;
375 }
376 }
377 At some point in the future, Net::OAuth will default to
379 Net::OAuth::PROTOCOL_VERSION_1_0A.
380
382 There is a demo Consumer CGI in this package, also available online at
383 <http://oauth.kg23.com/>
384
386 <http://oauth.net>
387 Check out Net::OAuth::Simple - it has a simpler API that may be more to
389 your liking
390 Check out Net::Twitter::OAuth for a Twitter-specific OAuth API
392 Check out WWW::Netflix::API for a Netflix-specific OAuth API
394
396 · Support for repeating/multivalued parameters
397 · Add convenience methods for SPs
399 Something like:
401 # direct from CGI.pm object
403 $request = Net::OAuth->request('Request Token')->from_cgi_query($cgi, %api_params);
404 # direct from Catalyst::Request object
406 $request = Net::OAuth->request('Request Token')->from_catalyst_request($c->req, %api_params);
407 # from Auth header and GET and POST params in one
409 local $/;
410 my $post_body = <STDIN>;
411 $request = Net::OAuth->request('Request Token')->from_auth_get_and_post(
412 $ENV{HTTP_AUTHORIZATION},
413 $ENV{QUERY_STRING},
414 $post_body,
415 %api_params
416 );
417
419 Keith Grennan, "<kgrennan at cpan.org>"
420
422 Copyright 2009 Keith Grennan, all rights reserved.
423 This program is free software; you can redistribute it and/or modify it
425 under the same terms as Perl itself.
426perl v5.30.0 2019-07-26 Net::OAuth(3)