Understanding oAuth with Perl

Question

Understanding oAuth with Perl

I have a problem with a simple API request for Yammer ( https://www.yammer.com/api_doc.html ). I need to get https://www.yammer.com/api/v1/groups.xml (Groups: list of groups).

I am trying to use Net :: OAuth :: Simple. Here is my Yammer.pm:

package Yammer; use strict; use base qw(Net::OAuth::Simple); sub new { my $class = shift; my %tokens = @_; return $class->SUPER::new( tokens => \%tokens, urls => { authorization_url => "https://www.yammer.com/oauth/authorize", request_token_url => "https://www.yammer.com/oauth/request_token", access_token_url => "https://www.yammer.com/oauth/access_token", }, protocol_version => '1.0a', ); } sub view_restricted_resource { my $self = shift; my $url = shift; return $self->make_restricted_request( $url, 'GET' ); } sub update_restricted_resource { my $self = shift; my $url = shift; my %extra_params = @_; return $self->make_restricted_request($url, 'POST', %extra_params); } 1;

And here is my main program:

 use Yammer; # Get the tokens from the command line, a config file or wherever my %tokens = ( consumer_key => 'Baj7MciMhmnDTwj6kaOV5g', consumer_secret => 'ejFlGBPtXwGJrxrEnwGvdRyokov1ncN1XxjmIm34M', callback => 'https://www.yammer.com/oauth/authorize', ); my $app = Yammer->new(%tokens); # Check to see we have a consumer key and secret unless ($app->consumer_key && $app->consumer_secret) { die "You must go get a consumer key and secret from App\n"; } # If the app is authorized (ie has an access token and secret) # Then look at a restricted resourse if ($app->authorized) { my $response = $app->view_restricted_resource; print $response->content."\n"; exit; } # Otherwise the user needs to go get an access token and secret print "Go to " . $app->get_authorization_url( callback => 'https://www.yammer.com/oauth/authorize?rand=' . rand() ) . "\n"; print "Then hit return after\n"; <STDIN>; my ($access_token, $access_token_secret) = $app->request_access_token($_);

I get messages like

Go to https://www.yammer.com/oauth/authorize?oauth_token=2sxBkKW1F1iebF2TT5Y7g&callback=https%3A%2F%2Fwww.yammer.com%2Foauth%2Fauthorize%3Frand%3D0.00451601

And authorization of the application at this URL. After that, I see a message like:

You have successfully resolved the following application: 2GIS_yammer
To complete the authorization, go back to the 2GIS_yammer application and enter the following code:
869A

But what's next? Where should I enter this number? How to fulfill the query that I need?

Thanks. Roman

+6

perl oauth yammer

gangabass Mar 09 '11 at 12:32

source share

1 answer

middlehut · Accepted Answer · 2011-03-09T15:16:02+0000

Most likely, the number that you get after the authorization step is the oauth_verifier string, which must be sent along with the REQUEST token to get the ACCESS token.

This is a mandatory part of the oAuth 1.0a implementation (which, in my opinion, is the most common version used now, because 2.0 is still a draft, and there are not many libraries that implement it).

I assume that you are not sending the callback URL to the provider, and it does not know where to redirect the user after authorization. When the provider does not know the callback URL, it cannot redirect the user back to your (consumer) application. In this case, the specification says that it should print the verifier string on the screen so that you (the user) can take it manually and transfer it to your (consumer) application, and thus create a request for ACCESS TOKEN.

If you provide a callback URL (in your first request for a REQUEST token), then most likely you will not get a screen with this number, but instead you (the user) will be redirected to the callback URL with it automatically.

eg. if your callback url is: http://myapp.com/oauth/callback , the provider will redirect the user to your callback url with the correct values in the query string.

redirect: http://myapp.com/oauth/callback?oauth_token=xxxx&oauth_verifier=yyyy

Then your application should take the verifier string and add it as a parameter to the request for ACCESS TOKEN (as you did earlier with other parameters like nonce, timestamp, oauth_token, etc.)

In response to this last request (with oauth_verifier included) you should get ACCESS TOKEN.

Here is a good explanation of the oauth_verifier line and why it was entered into the protocol: http://hueniverse.com/2009/04/explaining-the-oauth-session-fixation-attack/

Understanding oAuth with Perl

More articles: