Posted on
by

OAuth is a technology that allows a user to connect a client to a service, but without that user needing to enter their password.

The usual way this works is that a user clicks on a button, and are taken to a page asking whether they wish to allow the connection. Under the bonnet a handshake is going on between the client and server, resulting in an exchange of tokens.

If you’ve ever used the “Facebook connect” or “Sign in with twitter” buttons, you are likely familiar with this.

Known has a comprehensive API, and while it is possible to authenticate yourself to it using signed HTTP headers, I thought it’d be handy to be able to authenticate with OAuth as well (it was an excuse for me to write the code powering the server side of an OAuth exchange, a good way to understand it!).

The plugin I wrote lets a user manage “applications” – collections of keys – which can be used by an OAuth2 client to power an exchange.

Example Usage

Here is an example of client authentication in it’s most basic…

To get a code:

https://mysite.com/oauth2/authorise/?response_type=code&client_id=<your API Key>&redirect_uri=<path to your endpoint>

You will be directed to a log in page, followed by a confirmation page as necessary, after which you will get a response code back. This response will either be a JSON encoded blob, or if you specified a redirect_uri, the values will be forwarded as get variables.

Exchanging the code for a token

https://mysite.com/oauth2/access_token/?grant_type=authorization_code&client_id=<your API Key>&redirect_uri=<path to your endpoint>

You should get back a json encoded blob with an access token, expiry and refresh token.

Once you’ve performed an OAuth exchange, you will be provided with an access token. You can pass this token along with any web service API call to authenticate your request.

» Visit the project on Github...

Posted on
by

Using the Paris attacks as an excuse, governments around the world are clamping down on free speech, and the tools that make that speech possible in the digital age.

Cameron, who clearly read somewhere that it doesn’t matter what you say, so long as you sound decisive, has declared war on cryptography.

I talk a bit about this in a rant I recorded earlier:

A secure internet secures us all, and despite having never so much as got a parking ticket, I feel deeply uncomfortable in the UK – which is officially the most spied on country in the “free” world. Where every car journey is tracked, where people are recorded (both audio and video) in virtually every public space, where every text message, email, phone conversation and website is recorded and analysed.

Where, if Cameron has his way, it will soon be a crime to use tools to resist this ever watchful eye.

Not knowing if you’re being watched, and not knowing what conclusion some faceless spook or bureaucrat will make from the activity of your day to day life is stressful and socially damaging. People will always say “if you’ve nothing to hide, you’ve nothing to fear”, but really it’s all about context.

Granted, there are crazies out there, but the gunmen in the Paris attack were known, and they communicated openly with each other. Why weren’t they picked up? Well, the French already stated, that it is simple not possible to investigate every possible lead – so throwing the net wider and making the haystack bigger, while sounding good in an election campaign, can only make it less likely that you’ll spot the next attack.

Destroying freedom in order to protect it is not winning, Mr Cameron. We lived for decades under the threat of Christian terrorists, and the threat of US/USSR nuclear annihilation, without shredding the constitution.

Putting the whole country under surveillance in a modern reboot of East Germany is not going to protect us. Destroying the UK’s IT sector is not going protect us either.

Christian Payne and Cory Doctorow say this much much better that I did.

Perhaps trying to get to the reasons why so many poor people are angry and turning to religious fanaticism and violence might be a better idea?

But of course you won’t. You need to appear Tough. You need to Lead. To support your backers.

The Cheltenham eye of Sauron is being turned inwards, not to protect UK citizens from terrorists, but to protect the interests of your super rich friends from the dispossessed and increasingly angry poor, as you strip away their freedoms, education, healthcare, houses and livelihoods.

My blood is boiling again, so I think it’s time to sign off and go drink some herbal tea.

I’ll leave you with a video by Russell Brand. No matter what your personal views are on this guy, his video on the Charlie Hebdo massacre hits the nail absolutely on the head.

Peace.

Posted on
by

There are now many plugins for Known, a lot of them I’ve written, are available on Github.

Many people, myself included, like to install these plugins via a git submodule checkout – this simplifies deployment and makes updating installed plugins easier, however it can be problematic.

The problem is that either the repository contains the actual plugin in a subdirectory (e.g. my Github plugin is in the repo ‘KnownGithub‘, and the plugin is in a subdirectory ‘Github’), or if they don’t, the actual clone of the repository will default to an incompatible name (e.g. Known’s Facebook plugin is in a repo ‘facebook’, but the code wants it in a directory ‘Facebook’).

Both have their own issues, but both mean you can’t directly use them in a submodule git checkout (unless you use my symlink trick). It would be nice if you could use these repos directly, so I put together a patch (which has been accepted) that allows you to build your plugin repos in such a way that they can be used directly from a git clone.

Introducing the autoloader

The patch I submitted introduces the ability to provide a loader for your plugin in the root directory of your plugin repository. So, if your plugin is Foo in a directory inside your repository KnownFoo, you could create a special autoloader.php file in the root that will allow Known to load your plugin in the normal way, direct from a git clone into your IdnoPlugins directory.

To do this, create a file autoloader.php with the following code:

/**
 * Support loading of direct checkout.
 */
spl_autoload_register(function($class) {
        $class = str_replace('\\', DIRECTORY_SEPARATOR, $class);

    $segments = explode(DIRECTORY_SEPARATOR, $class);
    $PLUGIN_NAME = $segments[1];

        $basedir = dirname(dirname(dirname(__FILE__))) . '/'; 
        $file = str_replace($PLUGIN_NAME, basename(dirname(__FILE__)) . "/$PLUGIN_NAME", $class);

    \Idno\Core\site()->plugins()->plugins[basename(dirname(__FILE__))] = \Idno\Core\site()->plugins()->plugins[$PLUGIN_NAME];
    unset(\Idno\Core\site()->plugins()->plugins[$PLUGIN_NAME]);

        if (file_exists($basedir . $file . '.php')) {
                include_once($basedir . $file . '.php');
        }

});

This code will automatically load your plugin classes from its “real name” subdirectory, and make it available to your plugin loader.

Have a look at my Github plugin for an example, have fun!