OAuth

[Sean Carey]

Anyone here implemented OAUTH. If so, please tell. Any positive/
negative things? Also did you use the GEM?

[Seth Fitzsimmons]

Yup (with the gem).  Are you building the client or server side?  If a client, what for?

The server side is pretty straightforward, even if you're replacing an OAuth-style authorization system.  I haven't done anything with the Rails plugin, and I'm not sure how much you gain by using it (unless you're starting out with a completely fresh app, in which case it might be useful).  This is a potentially helpful tutorial if you're using the plugin: http://stakeventures.com/articles/2007/11/26/how-to-turn-your-rails-site-into-an-oauth-provider

Alternately, you can refer to a partially working (mostly exists as a demonstration, not a scaffolding) sample that I wrote here:

http://code.google.com/p/oauth/source/browse/code/ruby/sample_oauth_provider

`svn log` it to find revision numbers to diff so you can see just the changes w/o Rails boilerplate.

The client side is also pretty straightforward, although the helper classes and docs suggest that you do weird things with Client and Token objects--serialize and store in the session--that you should really avoid.  Don't worry about re-instantiating Clients and store the consumer key/secret and request token/secret (or access token/secret) in a database somewhere as strings.  Make sure you differentiate between request and access tokens, because APIs will behave differently depending what you throw at them (and because request tokens *will* expire on you).  Also, keep an eye out when you request request tokens, as what usually happens is that people either request them too often (you should only get one when you're about to ask a user to authorize your app) or you request one once and it expires.

Fire Eagle's Ruby client is a good example of something that uses the client libs (http://github.com/jnewland/fireeagle/tree/master), although it doesn't include a demo of how to use it as part of a web app (though this might help: http://github.com/jnewland/ride_the_fireeagle/tree/master).

The OAuth gem does not yet support Yahoo!'s session extension (used for all other Y! OAuth-enabled web services besides Fire Eagle), if that's what you intend to consume.  It also does not yet support PKI-SHA1 as a signature method (which is what Google is using).  The PHP client supports this now (so check there to create a patch).  This may also be useful, even though it's not directly OAuth-related: http://github.com/mattb/identity-matcher/tree/master/lib/identity_matcher.rb#L92-L93

Whoa.  Hope this is useful and not just overkill.

seth