Skip to content

Commit 20bd991

Browse files
committed
📝 Correct OAuth README usage guidance
1 parent da97783 commit 20bd991

2 files changed

Lines changed: 40 additions & 9 deletions

File tree

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,8 @@ Please file a bug if you notice a violation of semantic versioning.
2424

2525
- Retemplated project workflows, appraisals, and development tooling with the
2626
current `kettle-jem` template.
27+
- Documented current `OAuth::Consumer` configuration options, including token
28+
request redirect safety settings, and corrected the OAuth 1.0a usage example.
2729
- Raised the runtime dependency floor for `auth-sanitizer` to `>= 0.2.1`.
2830
- Raised the runtime dependency floor for `snaky_hash` to `>= 2.0.5`.
2931

README.md

Lines changed: 38 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,20 @@ This is a ruby library which is intended to be used in creating Ruby Consumer
153153
and Service Provider applications. It is NOT a Rails plugin, but could easily
154154
be used for the foundation for such a Rails plugin.
155155

156+
The main client entry point is `OAuth::Consumer.new(consumer_key, consumer_secret, options)`.
157+
Common options include:
158+
159+
- `:site` - Provider origin, for example `https://provider.example`.
160+
- `:request_token_path`, `:authorize_path`, `:authenticate_path`, `:access_token_path` - Provider endpoint paths. Defaults are `/oauth/request_token`, `/oauth/authorize`, `/oauth/authenticate`, and `/oauth/access_token`.
161+
- `:request_token_url`, `:authorize_url`, `:access_token_url` - Full endpoint URLs. Use these when endpoints are not all under the same `:site` origin.
162+
- `:scheme` - Where OAuth parameters are sent: `:header` by default, or `:body` / `:query_string`.
163+
- `:http_method` - HTTP method for token endpoint requests, `:post` by default.
164+
- `:signature_method` - Signature method, `HMAC-SHA1` by default.
165+
- `:body_hash_enabled` - Whether request body hashes are signed where applicable. Defaults to `true`.
166+
- `:ca_file`, `:proxy`, `:debug_output` - Net::HTTP transport options.
167+
- `:token_request_max_redirects` - Maximum redirects followed while requesting OAuth tokens. Defaults to `10`.
168+
- `:token_request_cross_origin_redirects` - Whether token requests may follow redirects to a different scheme, host, or effective port. Defaults to `false`; only enable this when the provider's token endpoints intentionally redirect across origins.
169+
156170
This gem was originally extracted from @pelle's [oauth-plugin](https://github.com/pelle/oauth-plugin)
157171
gem. After extraction that gem was made to depend on this gem.
158172

@@ -168,8 +182,10 @@ into a separate gem with the 1.x minor updates of this gem.
168182

169183
### Examples
170184

171-
We need to specify the `oauth_callback` url explicitly, otherwise it defaults to
172-
"oob" (Out of Band)
185+
For browser-based three-legged OAuth 1.0a flows, pass an explicit
186+
`oauth_callback` URL when requesting the request token. If you do not pass
187+
`oauth_callback`, this gem defaults it to `"oob"` (out of band), which is
188+
intended for command-line and non-HTTP clients.
173189

174190
```ruby
175191
callback_url = "http://127.0.0.1:3000/oauth/callback"
@@ -178,40 +194,53 @@ callback_url = "http://127.0.0.1:3000/oauth/callback"
178194
Create a new `OAuth::Consumer` instance by passing it a configuration hash:
179195

180196
```ruby
181-
oauth_consumer = OAuth::Consumer.new("key", "secret", site: "https://agree2")
197+
oauth_consumer = OAuth::Consumer.new(
198+
"consumer_key",
199+
"consumer_secret",
200+
site: "https://provider.example"
201+
)
182202
```
183203

184-
Start the process by requesting a token
204+
Start the process by requesting a token:
185205

186206
```ruby
187207
request_token = oauth_consumer.get_request_token(oauth_callback: callback_url)
188208

189209
session[:token] = request_token.token
190210
session[:token_secret] = request_token.secret
191-
redirect_to request_token.authorize_url(oauth_callback: callback_url)
211+
redirect_to request_token.authorize_url
192212
```
193213

194-
When user returns create an access_token
214+
When the user returns to your callback URL, rebuild the request token from the
215+
values you stored and exchange it for an access token. OAuth 1.0a providers
216+
return `oauth_verifier` in the callback, and it must be included in this
217+
exchange.
195218

196219
```ruby
197220
hash = {oauth_token: session[:token], oauth_token_secret: session[:token_secret]}
198221
request_token = OAuth::RequestToken.from_hash(oauth_consumer, hash)
199-
access_token = request_token.get_access_token
200-
# For 3-legged authorization, flow oauth_verifier is passed as param in callback
201-
# access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
222+
access_token = request_token.get_access_token(oauth_verifier: params[:oauth_verifier])
202223
@photos = access_token.get("/photos.xml")
203224
```
204225

226+
For OAuth 1.0 providers that do not use `oauth_verifier`, call
227+
`request_token.get_access_token` without the verifier.
228+
205229
Now that you have an access token, you can use Typhoeus to interact with the
206230
OAuth provider if you choose.
207231

208232
```ruby
209233
require "typhoeus"
210234
require "oauth/request_proxy/typhoeus_request"
235+
236+
uri = "https://provider.example/photos.xml"
237+
options = {method: :get, headers: {}}
211238
oauth_params = {consumer: oauth_consumer, token: access_token}
239+
212240
hydra = Typhoeus::Hydra.new
213241
req = Typhoeus::Request.new(uri, options) # :method needs to be specified in options
214242
oauth_helper = OAuth::Client::Helper.new(req, oauth_params.merge(request_uri: uri))
243+
req.options[:headers] ||= {}
215244
req.options[:headers]["Authorization"] = oauth_helper.header # Signs the request
216245
hydra.queue(req)
217246
hydra.run

0 commit comments

Comments
 (0)