• Stars
    star
    211
  • Rank 180,842 (Top 4 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created over 13 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Java library for authenticating HTTP Requests using OAuth

JOAuth Build Status Coverage Status

A Java library for authenticating HTTP Requests using OAuth

Features

  • Supports OAuth 1.0a and 2.0 (draft 25)
  • Unpacks Requests, extracts and verifies OAuth parameters from headers, GET, and POST
  • Incidentally parses Non-OAuth GET and POST parameters and makes them accessible via a callback
  • Custom callbacks to obtain scheme and path from the request in a non-standard way
  • Configurable timestamp checking
  • Correctly works around various weird URLEncoder bugs in the JVM
  • Written in Java, with minimal dependencies

The Github source repository is here. Patches and contributions are welcome.

Non-Features

  • It's not a full OAuth solution; There's nothing here about creating request tokens, access token/secret pairs, or consumer key/secret pairs. This library is primarily for verifying (and potentially signing) requests.
  • There's no framework for looking up access token/secret pairs and consumer key/secret pairs from a backing store. You're on your own there.
  • There's no Nonce-validation, though there's support for adding your own.

Building

Dependencies: commons-codec (specs & mockito-all to run the tests). These dependencies are managed by the build system.

v3.0.1 and higher - Use maven to build:

% mvn clean install

v.1.1.2 is the last version that can be built using scala 2.7.7, and now resides in the scala27 branch. v1.2 and above require scala > 2.8.1. v3.0.1 and above uses maven instead of sbt, and require scala 2.9.2

v.6.0.0 require JDK 1.6. Test require scala 2.9.2

Below v3.0.1 - Use sbt (simple-build-tool) to build:

% sbt clean update compile

The finished jar will be in dist/.

Understanding the Implementation

JOAuth consists of five traits, each of which is invoked with an apply method.

  • The OAuthRequest trait models the data needed to validate a request. There are three subclasses, OAuth1Request, OAuth1TwoLeggedRequest and OAuth2Request.
  • The Unpacker trait unpacks the HttpServletRequest into an OAuthRequest, which models the data needed to validate the request
  • The Normalizer trait produces a normalized String representation of the request, used for signature calculation
  • The Signer trait signs a String, using the OAuth token secret and consumer secret.
  • The Verifier trait verifies that a OAuth1Request is valid, checking the timestamp, nonce, and signature

There are "Standard" and "Const" implementations of the Unpacker, Normalizer, Signer, and the Verifier traits, for easy dependency injection. Each trait has a companion object with apply methods for the default instantiation of the corresponding Standard implementations.

Usage

Basic Usage

Create an unpacker, and use it to unpack the Request. The Unpacker will either return an OAuth1Request or OAuth2Request object or throw an UnpackerException.

import com.twitter.joauth.Unpacker

val unpack = Unpacker()
try {
  unpack(request) match {
    case req: OAuth1Request => handleOAuth1(req)
case req: OAuth1TwoLeggedRequest => handleOAuth1TwoLegged(req)
    case req: OAuth2Request => handleOAuth2(req)
    case _ => // ignore or throw
  }
} catch {
  case e:UnpackerException => // handle or rethrow
  case _ => // handle or rethrow
}

Once the request is unpacked, the credentials need to be validated. For an OAuth2Request, the OAuth Access Token must be retrieved and validated by your authentication service. For an OAuth1Request the Access Token, the Consumer Key, and their respective secrets must be retrieved, and then passed to the Verifier for validation. For an OAuth1TwoLeggedRequest, the Consumer Key must be retrieved and passed to the Verifier for validation.

import com.twitter.joauth.{Verifier, VerifierResult}

val verify = Verifier()
verify(oAuth1Request, tokenSecret, consumerSecret) match {
  case VerifierResult.BAD_NONCE => // handle bad nonce
  case VerifierResult.BAD_SIGNATURE => // handle bad signature
  case VerifierResult.BAD_TIMESTAMP => // handle bad timestamp
  case VerifierResult.OK => //success!
}

That's it!

Advanced Usage

Getting Parameter Key/Values

There are two apply methods in the Unpacker trait. The one-argument version takes a Request, and the two-argument version takes a Request and a Seq[KeyValueHandler]. A KeyValueHandler is a simple trait that the Unpacker uses as a callback for every Key/Value pair encountered in either the query string or POST data (if the Content-Type is application/x-www-form-urlencoded). If there are duplicate keys, the KeyValueHandler will get invoked for each.

The JOAuth library provides a few basic KeyValueHandlers, and it's easy to add your own. For example, suppose you want to get a list of key/values, including duplicates, from the request you're unpacking. You can do this by passing a DuplicateKeyValueHandler to the unpacker.

val unpack = Unpacker()
val handler = new DuplicateKeyValueHandler
val unpackedRequest = unpack(request, Seq(handler))
doSomethingWith(handler.toList)

The DuplicateKeyValueHandler is invoked for each key/value pair encountered, and a List[(String, String)] can be extracted afterwards.

You can also construct your own KeyValueHandlers, and there are a few useful KeyValueHandlers already defined. There's a TransformingKeyValueHandler, which wraps an underlying KeyValueHandler such that either the key or value or both are transformed before the underlying handler is invoked.

For example, suppose you want to get all values of a single parameter, and you want it UrlDecoded first.

class ValuesOnlyKeyValueHandler(key: String) extends KeyValueHandler {
  val buffer = new ArrayBuffer[String]
  def apply(k: String, v: String) {
    if (k == key)
      buffer += v
  }
  def toList = buffer.toList
}

object UrlDecodingTransformer extends Transformer {
  def apply(str: String) = URLDecoder.decode(str)
}

class UrlDecodedKeyValueHandler(underlying: KeyValueHandler)
  extends TransformingKeyValueHandler(underlying, UrlDecodingTransformer, UrlDecodingTransformer)

val unpack = Unpacker()
val handler = new ValuesOnlyKeyValueHandler("SpecialKey")
val wrappedHandler = UrlDecodedMyValueOnlyKeyValueHandler(handler)
val unpackedRequest = unpack(request, Seq(wrappedHandler))
doSomethingWith(handler.toList)

Obviously it would be a little easier to just call request.getParameterValues("SpecialKey") in this example, but we hope it's not hard to see that passing custom KeyValueHandlers into the unpacker can be a powerful tool. In particular, they're an easy way to get access to POST data after the Unpacker has ruined your HttpServletRequest by calling getInputStream.

KeyValueHandlers are used in the JOAuth source code to collect OAuth and non-OAuth parameters from the GET, POST and Authorization header.

Other Unpacker Tricks

You can pass in a custom Normalizer or custom parameter and header KeyValueParsers to the Unpacker apply method if you really want to, but you're on your own.

Using Normalizer and Signer

You can use the Normalizer and Signer to sign OAuth 1.0a requests.

val normalize = Normalizer()
val sign = Signer()

val normalizedRequest = normalize(scheme, host, port, verb, path, params, oAuthParams)
val signedRequest = sign(normalizedRequest, tokenSecret, consumerSecret)

The parameters are passed as a List[(String, String)], and the OAuth params are passed in an OAuthParams instance.

Running Tests

The tests are completely self contained, and can be run using Maven:

% mvn test

Reporting problems

The Github issue tracker is here.

Contributors

  • Jeremy Cloud
  • Tina Huang
  • Steve Jenson
  • Nick Kallen
  • John Kalucki
  • Raffi Krikorian
  • Mark McBride
  • Marcel Molina
  • Glen Sanford
  • Fiaz Hossain
  • Steven Liu
  • Manoj Cheenath

License

Copyright 2010-2013 Twitter, Inc.

Licensed under the Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0

More Repositories

1

the-algorithm

Source code for Twitter's Recommendation Algorithm
Scala
60,968
star
2

twemoji

Emoji for everyone. https://twemoji.twitter.com/
HTML
16,575
star
3

typeahead.js

typeahead.js is a fast and fully-featured autocomplete library
JavaScript
16,526
star
4

twemproxy

A fast, light-weight proxy for memcached and redis
C
12,000
star
5

the-algorithm-ml

Source code for Twitter's Recommendation Algorithm
Python
9,844
star
6

finagle

A fault tolerant, protocol-agnostic RPC system
Scala
8,742
star
7

hogan.js

A compiler for the Mustache templating language
JavaScript
5,143
star
8

labella.js

Placing labels on a timeline without overlap.
JavaScript
3,869
star
9

scala_school

Lessons in the Fundamentals of Scala
HTML
3,700
star
10

AnomalyDetection

Anomaly Detection with R
R
3,529
star
11

scalding

A Scala API for Cascading
Scala
3,469
star
12

twitter-text

Twitter Text Libraries. This code is used at Twitter to tokenize and parse text to meet the expectations for what can be used on the platform.
HTML
3,051
star
13

TwitterTextEditor

A standalone, flexible API that provides a full-featured rich text editor for iOS applications.
Swift
2,950
star
14

opensource-website

Twitter's open source website, identifying projects we've released, organizations we support, and the work we do to support open source.
SCSS
2,918
star
15

util

Wonderful reusable code from Twitter
Scala
2,679
star
16

algebird

Abstract Algebra for Scala
Scala
2,284
star
17

finatra

Fast, testable, Scala services built on TwitterServer and Finagle
Scala
2,271
star
18

effectivescala

Twitter's Effective Scala Guide
HTML
2,241
star
19

summingbird

Streaming MapReduce with Scalding and Storm
Scala
2,136
star
20

pelikan

Pelikan is Twitter's unified cache backend
C
1,921
star
21

ios-twitter-image-pipeline

Twitter Image Pipeline is a robust and performant image loading and caching framework for iOS clients
C
1,851
star
22

twurl

OAuth-enabled curl for the Twitter API
Ruby
1,790
star
23

rezolus

Systems performance telemetry
Rust
1,546
star
24

twitter-server

Twitter-Server defines a template from which services at Twitter are built
Scala
1,542
star
25

activerecord-reputation-system

An Active Record Reputation System for Rails
Ruby
1,334
star
26

communitynotes

Documentation and source code powering Twitter's Community Notes
Python
1,319
star
27

compose-rules

Static checks to aid with a healthy adoption of Compose
Kotlin
1,311
star
28

fatcache

Memcache on SSD
C
1,301
star
29

rsc

Experimental Scala compiler focused on compilation speed
Scala
1,243
star
30

elephant-bird

Twitter's collection of LZO and Protocol Buffer-related Hadoop, Pig, Hive, and HBase code.
Java
1,137
star
31

cassovary

Cassovary is a simple big graph processing library for the JVM
Scala
1,039
star
32

Serial

Light-weight, fast framework for object serialization in Java, with Android support.
Java
988
star
33

hbc

A Java HTTP client for consuming Twitter's realtime Streaming API
Java
963
star
34

twemcache

Twemcache is the Twitter Memcached
C
925
star
35

innovators-patent-agreement

Innovators Patent Agreement (IPA)
919
star
36

vireo

Vireo is a lightweight and versatile video processing library written in C++11
C++
919
star
37

twitter-korean-text

Korean tokenizer
Scala
834
star
38

scrooge

A Thrift parser/generator
Scala
785
star
39

BreakoutDetection

Breakout Detection via Robust E-Statistics
C++
753
star
40

GraphJet

GraphJet is a real-time graph processing library.
Java
696
star
41

twitter-cldr-rb

Ruby implementation of the ICU (International Components for Unicode) that uses the Common Locale Data Repository to format dates, plurals, and more.
Ruby
667
star
42

bijection

Reversible conversions between types
Scala
657
star
43

chill

Scala extensions for the Kryo serialization library
Scala
608
star
44

ios-twitter-network-layer

Twitter Network Layer is a scalable and feature rich network layer built on top of NSURLSession for Apple platforms
Objective-C
574
star
45

hadoop-lzo

Refactored version of code.google.com/hadoop-gpl-compression for hadoop 0.20
Shell
544
star
46

storehaus

Storehaus is a library that makes it easy to work with asynchronous key value stores
Scala
464
star
47

rpc-perf

A tool for benchmarking RPC services
Rust
458
star
48

d3kit

D3Kit is a set tools to speed D3 related project development
JavaScript
429
star
49

scoot

Scoot is a distributed task runner, supporting both a proprietary API and Bazel's Remote Execution.
Go
347
star
50

twitter-cldr-js

JavaScript implementation of the ICU (International Components for Unicode) that uses the Common Locale Data Repository to format dates, plurals, and more. Based on twitter-cldr-rb.
JavaScript
345
star
51

scala_school2

Scala School 2
Scala
340
star
52

rustcommon

Common Twitter Rust lib
Rust
339
star
53

wordpress

The official Twitter plugin for WordPress. Embed Twitter content and grow your audience on Twitter.
PHP
310
star
54

ios-twitter-logging-service

Twitter Logging Service is a robust and performant logging framework for iOS clients
Objective-C
300
star
55

nodes

A library to implement asynchronous dependency graphs for services in Java
Java
246
star
56

SentenTree

A novel text visualization technique
JavaScript
226
star
57

interactive

Twitter interactive visualization
HTML
213
star
58

thrift_client

A Thrift client wrapper that encapsulates some common failover behavior
Ruby
196
star
59

hpack

Header Compression for HTTP/2
Java
192
star
60

zktraffic

ZooKeeper protocol analyzer and stats gathering daemon
Python
165
star
61

twemoji-parser

A simple library for identifying emoji entities within a string in order to render them as Twemoji.
Scala
162
star
62

cache-trace

A collection of Twitter's anonymized production cache traces.
Shell
162
star
63

sbf

Java
159
star
64

tormenta

Scala extensions for Storm
Scala
132
star
65

whiskey

HTTP library for Android (beta)
Java
131
star
66

hraven

hRaven collects run time data and statistics from MapReduce jobs in an easily queryable format
Java
127
star
67

netty-http2

HTTP/2 for Netty
Java
120
star
68

sqrl

A Safe, Stateful Rules Language for Event Streams
TypeScript
100
star
69

ccommon

Cache Commons
C
99
star
70

focus

Focus aligns Git worktree content based on outlines of a repository's Bazel build graph. Focused repos are sparse, shallow, and thin and unlock markedly better performance in large repos.
Rust
91
star
71

dict_minimize

Access scipy optimizers from your favorite deep learning framework.
Python
77
star
72

metrics

76
star
73

twitter.github.io

HTML
71
star
74

go-bindata

Go
68
star
75

birdwatch

67
star
76

diffusion-rl

Python
66
star
77

cloudhopper-commons

Cloudhopper Commons
Java
57
star
78

twitter-cldr-npm

TwitterCldr npm package
JavaScript
49
star
79

.github

Twitter GitHub Organization-wide files
48
star
80

bazel-multiversion

Bazel rules to resolve, fetch and manage 3rdparty JVM dependencies with support for multiple parallel versions of the same dependency. Powered by Coursier.
Scala
47
star
81

libwatchman

A C interface to watchman
C
44
star
82

sslconfig

Twitter's OpenSSL Configuration
42
star
83

ios-twitter-apache-thrift

A thrift encoding and decoding library for Swift
Swift
41
star
84

gatekeeper-service

GateKeeper is a service built to automate the manual steps involved in onboarding, offboarding, and lost asset scenarios.
Python
36
star
85

dodo

The Twitter OSS Project Builder
Shell
35
star
86

repo-scaffolding

Tools for creating repos based on open source standards and best practices
33
star
87

iago2

A load generator, built for engineers
Scala
24
star
88

caladrius

Performance modelling system for Distributed Stream Processing Systems (DSPS) such as Apache Heron and Apache Storm
Python
22
star
89

ossdecks

Repository for Twitter Open Source Decks
10
star
90

curation-style-guide

Document Repository for Twitter's Curation Style Guide
10
star
91

analytics-infra-governance

Description of the process for how to commit, review, and release code to the Scalding OSS family (Scalding, Summingbird, Algebird, Bijection, Storehaus, etc)
9
star
92

gpl-commitment

Twitter's GPL Cooperation Commitment
5
star
93

second-control-probability-distributions

4
star
94

google-tag-manager-event-tag

Smarty
3
star
95

google-tag-manager-base-tag

Smarty
2
star