Hi,
currently we don’t have any sample for 2-legged OAuth. By 2-legged OAuth I mean OAuth 1 used in the 2-legged way without user authorization step. For example 2-legged OAuth can be used when consumer is authenticating itself and not when Consumer is authenticating on behalf of its users. 2-legged OAuth is supported by OAuth1 client and the server. I can list here some hints for development.
The following examples are based on Jersey 2.9. Note that implementation with Jersey 1.x is also possible with some small changes. Links to Jersey OAuth documentation could be found here:
https://jersey.java.net/documentation/latest/security.html#d0e10885 (it contains also examples)
2-legged OAuth in client with Jersey 2.x
===============================
Basically, you need to skip the user authorization step. The following example is from the documentation (link above):
Firstly, you need to build a Authrozation flow util:
ConsumerCredentials consumerCredentials = new ConsumerCredentials(
"a846d84e68421b321a32d, "f13aed84190bc");
OAuth1AuthorizationFlow authFlow = OAuth1ClientSupport.builder(consumerCredentials)
.authorizationFlow(
"
http://api.twitter.com/oauth/request_token",
"
http://api.twitter.com/oauth/access_token",
"
http://api.twitter.com/oauth/authorize")
.build();
Then start the flow but skip the user redirection phase
String authorizationUri = authFlow.start();
// in normal 3-legged OAuth you would redirect the user to the authorizationUri. But with 2-legged OAuth
// the request token is already pre-authorized (or in other words does not need to be authorized). Note that request token
// is hidden and not public in API. So, just call the following method and pass null as verifier.
AccessToken accessToken = authFlow.finish(null);
your accessToken is not now the token for specific user but for your consumer application.
2-legged OAuth in server with Jersey 2.x
===============================
Using 2-legged OAuth server is similar to using standard OAuth implementation. In this case we are authenticating the Consumer and not user. So, we cannot expect any redirection of user to our authorization uri where user consent page is available. Client will only invoke the second request to our access token uri.
details:
- OAuth1Provider.getConsumer() must return a OAuth1Consumer with methods getPrincipal() and isUserInRole() returning security information for Consumer.
- OAuth1Provider.getAccessToken() must not pair the verifier with any verifier issued before for user authorization (there was basically no user authorization) and must return access token for consumer.
Please note that I have personally never verified 2-legged OAuth scenario with server and Jersey 2.x, so there might be some other implementation details needed which I have forgotten.
I hope this helps.
Mira
On May 28, 2014, at 5:27 PM, Mohamed Midulaj <midulaj_at_gmail.com> wrote:
> iam a developer for REST web service.i was trying to include OAuth 2 legged in my REST.So can you please provide some documents and sample client and server programs
>
> Waiting for your replay
>
> --
> with regards
>
> Mohamed Midulaj
> CRIS,chennai
> +91 9962375726