Good point, maybe this should be a separate related standard altogether.
I'm thinking about something like the various mobile notification
implementations or even the PuSH bot.
The flow is as follows:
1) Feed request with 200 or 401 response. Response includes
WWW-Authenticate and OAuth2-Discovery headers (OAuth2-Discovery
includes supported grant types and OAuth2 endpoints. See below).
2) OAuth2 assertion initiated with magicsig identity assertion.
Success results in a valid access token response. (See below for
details)
3) Access token is included in feed request as qs param and made
again. Response now includes the hub link.
3) PSHB subscription is initiated as per the spec with the topic URL
as included in step 3. (e.g.
http://ooava.com/dbounds?format=json&oauth_token=12345)
4) During subscription verification the oauth_token included in the
topic is verified and used to validate the response.
Working PoC here:
http://ooava.com/dbounds (profile page)
http://ooava.com/dbounds?format=json (protected JSON AS feed)
http://ooava.com/.well-known/host-meta?format=json (host-meta JRD)
http://ooava.com/etc/webfinger?format=json&q=acct:dbo...@ooava.com
(webfinger JRD)
One interesting aspect what we've introduced here is the
OAuth2-Discovery header in the protected feed response. The value is a
JSON resource specifying the supported grant types and associated
OAuth2 resource endpoints.
Example:
GET /dbounds?format=json HTTP/1.1
Host: ooava.com
HTTP/1.1 200 OK
Date: Tue, 01 Feb 2011 20:21:10 GMT
WWW-Authenticate: OAuth2
OAuth2-Discovery:
{"grant_types":["urn:magic-sig:identity:assertion"],"token_endpoint":"http://ooava.com/api/v1/oauth/server/access_token"}
Content-Type: application/stream+json
Content-Length: 0
MagicSig Assertion:
We use the OAuth2 Assertion flow to post an assertion with a
grant-type of: urn:magic-sig:identity:assertion
The assertion is a Magic Envelope in the Compact Serialization form
with a payload of the JSON structure below. With a data-type of
"application/magic-identity-assertion+json"
{
identity_uri:"acct:cha...@reticulateme.appspot.com",
create_date:"Jan 17, 2011 11:48:36 PM",
destination_url:"http://ooava.com/api/v1/oauth/server/access_token"
}
So basically we are signing the uri, the date, and the URL we are
posting to (follow the same URL normalization rules as Oauth signing).
The receiver can validate by following the process in the magic-sig
spec. http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-01.html
--
Thank you,
Darren Bounds
The hub is blissfully unaware of any of this. The validation I was
referring to was handled by the subscriber verifying the token is
received in step 2. Something we've chosen to do.
> I have noticed that the endpoint is not protected.....but OAuth2
> requires TLS protected ones.
TLS wasn't implemented for the PoC but wouldn't affect the flow.
> According to which conditions, are you issuing access tokens?? I
> suppose, that, in your case, it is sufficient to validate the
> salmon(assertion).
The token is being issued in response to a follow request. The token
would also provide access to other protected resources owned by the
same user (e.g. poco).
> In principle, you could automatically ACL'ed the identity_uri.
> I wonder, what kind of flow, you would use, to personally check the
> request and approve it asynchronously. How would you send the access
> token??
This wasn't something we put a lot of thought into for our
implementation as it wasn't a requirement. Our goal was to provide a
simple way to know who's subscribing/following before providing access
to the feed/pshb subscription.
It may be reasonable to provide an access token on the assertion even
if the approval is async and then possibly respond with an HTTP 412
(Precondition Failed) at the feed and allowing the hub to retry at
some period of time (fixed or exponential backoff).