I’m attempting to get a LoveFilm plugin developed and stumbling around with OAuth. I’m attempting to use the public API provided by LoveFilm and have been given a API key for the application. However, LoveFilm uses OAuth in order to authenticate the user so that the user does not need to provide the application with their user name and password. As far as I can work out, the process is as follows:
[list]
[]Make a POST request to http://openapi.lovefilm.com/oauth/request_token. I can either set oauth_callback to a URL that the browser will redirect too once authorised (not appropriate), or “oob” which means the user needs to manually enter the authorisation token once authorised.
[]The server will respond specifying an oauth_token and a login_url. The user is required to enter the oauth_token into the login_url.
[]Once the user’s done this, they are given a 6 digit verification code which they are prompted to enter into the application
[]Make a POST request to http://openapi.lovefilm.com/oauth/access_token. The oauth_verifier should be set to the 6 digit verification code given to the user
[]The server then responds with a new oauth_token and oauth_token_secret which should be stored by the application.
[]Any future calls to the server is required to specify the oauth_token and oauth_token_secret
[/list]
The initial oauth_token and verification code only last for a few minutes. I’m trying to work out the best way to do this within Plex. It seems a bit of a pain for the user to have to go through this process, jumping from the application to a browser and then back again; and they have to do all this in a couple of minutes.
Has anyone come across anything like this before? Any suggestions or example plugins which need to do something similar? Any help would be greatly appreciated.
pretty sure the netflix plugin uses OAuth
Yeah, i’ve had a look at the Netflix plugin. Unfortunately, im not able to give it a go, since i’m in the UK, hence LoveFilm 
It appears that the plugin attempts to programmatically drive the user’s authentication and activation of the OAuth application. This is of course possible but kinda side stepping the issue. I was hoping for something more sustainable since this will break whenever the website changes (or maybe different between UK, German, etc). However, I guess for now i’ll go down this line. Once it’s done, i’ll also make all the code (with commenting :)) available on GitHub so that others can fix if it becomes broken and i’m not around to resolve it.
I’m interested in this topic also. It came up for me a couple of times recently and I solved the problem by ignoring it and limiting functionality. I’ll see if I can catch one of the core developers over the weekend and ask if they have any thoughts or plans for better support. Knowing nothing about OAuth certainly hinders me in thinking about what’s possible.
Jonny
Yeah, it does sound that if it’s going to become frequently ran into, it would be nice to get some framework support; or even some “best practices” guidelines.
just for educational purposes here is a link to the youtube API page with a good doc on OAuth:
http://code.google.com/apis/youtube/2.0/developers_guide_protocol_oauth.html#OAuth_Authentication
good luck
Here is an OAuth implementation I wrote in Ruby. While that won’t be entirely helpful the algorithm works just fine for OAuth. This was meant as an executable from the commandline and returns a valid URL for me to query. Anyway…the only other thing to worry about besides calculating the correct keys is to alphabetize the parameters before encoding them.
Good luck.
<br />
%w{openssl base64 cgi uri digest/md5 hmac/sha1 }.each { |x| require x}<br />
<br />
class Symbol<br />
include Comparable<br />
<br />
def <=>(other)<br />
self.to_s <=> other.to_s<br />
end<br />
end<br />
<br />
def make_url(url, terms)<br />
epoch_micro, epoch_full = Time.now.to_f, Time.now.to_i<br />
<br />
shared_secret = 'SHAREDSECRET&' #don't forget the ampersand<br />
<br />
options = {<br />
:oauth_consumer_key => 'WHATEVERYOURKEYIS',<br />
:oauth_nonce => Digest::MD5.hexdigest( rand( (epoch_full - epoch_micro + 1) + epoch_micro ).to_s ),<br />
:oauth_signature_method => 'HMAC-SHA1',<br />
:oauth_timestamp => epoch_full,<br />
:oauth_version => '1.0'<br />
}<br />
<br />
full_options = options.sort.collect{|key, val| "#{key}=#{val}"} * "&"<br />
<br />
terms = URI.escape(terms)<br />
<br />
base_sig = 'GET&' + CGI.escape(url) + "&" + CGI.escape(full_options) + CGI.escape('&term=' + terms)<br />
<br />
signed = Base64.encode64(HMAC::SHA1.digest(shared_secret, base_sig)).chomp<br />
<br />
puts url + '?' + full_options + '&term=' + terms + '&oauth_signature=' + CGI.escape(signed)<br />
<br />
end<br />
<br />
make_url(ARGV[0], ARGV[1])<br />
there are plenty of existing mature oauth libraries out there. reimplementing the wheel not required.
http://oauth.net/code/
http://code.google.com/p/oauth/
https://github.com/simplegeo/python-oauth2
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
