repoze.who.plugins.vepauth

Software Screenshot:
repoze.who.plugins.vepauth
Software Details:
Version: 0.3.0
Upload Date: 15 Apr 15
Distribution Type: Freeware
Downloads: 12

Rating: 2.0/5 (Total Votes: 1)

repoze.who.plugins.vepauth is a repoze.who plugin for automated authentication via BrowserID:

 https://browserid.org/ https://wiki.mozilla.org/Identity/BrowserIDSync

The plugin implements an experimental protocol for authenticating to ReSTful web services with the Verified Email Protocol, a.k.a Mozilla's BrowserID project. It is designed for use in automated tools like the Firefox Sync Client. If you're looking for something to use for human visitors on your site, please try:

 http://github.com/mozilla-services/repoze.who.plugins.browserid

When accessing a protected resource, the server will generate a 401 challenge response with the scheme "OAuth+VEP" as follows:

> GET /protected_resource HTTP/1.1
> Host: example.com

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: OAuth+VEP url="/request_token"


The client should extract the url from this challenge and POST a VEP assertion to that location. This will create a new authentication session and return a set of OAuth client credentials:

> POST /request_token HTTP/1.1
> Host: example.com
> Content-Type: application/x-www-form-urlencoded
>
> assertion=VEP_ASSERTION_DATA

< HTTP/1.1 200 OK
< Content-Type: application/json
<
< {
< "oauth_consumer_key": SESSION_TOKEN,
< "oauth_consumer_secret": SESSION_SECRET
< }

Subsequent requests should be signed using these credentials in Two-Legged OAuth mode:

> GET /protected_resource HTTP/1.1
> Host: example.com
> Authorization: OAuth oauth_consumer_key=SESSION_TOKEN,
> oauth_signature_method="HMAC-SHA1",
> oauth_version="1.0",
> oauth_timestamp=TIMESTAMP,
> oauth_nonce=NONCE
> oauth_signature=SIGNATURE

 HTTP/1.1 200 OK
 Content-Type: text/plain

For your eyes only: secret data!

Session tokens are timestamped and will eventually expire. If this happens you will receive a 401 response as before, and should POST a new assertion to obtain fresh credentials.

What is new in this release:

  • Replaced Two-Legged OAuth with MAC Access Auth, implemented according to the latest draft standard:
  • https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-01

What is new in version 0.2.0:

  • Added basic pattern-matching for the token_url, e.g. "/{app}/token".
  • Made TokenManager.make_token and TokenManager.parse_token accept the incoming request as first argument, mostly so they can get at the results of pattern-matching.
  • Let TokenManager.make_token return a dict of extra info to be included in the response.

Requirements:

  • Python
  • repoze.who

Other Software of Developer Mozilla Services Team

Cornice
Cornice

20 Feb 15

pyramid_whoauth
pyramid_whoauth

14 Apr 15

powerhose
powerhose

20 Feb 15

Comments to repoze.who.plugins.vepauth

Comments not found
Add Comment
Turn on images!