repoze.who.plugins.vepauth

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rfk from gravatar.com rfk

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: UNKNOWN

Author: Mozilla Services

Tags authentication, repoze, browserid, oauth

Classifiers

Project description

This is a repoze.who plugin for automated authentication via BrowserID:

https://browserid.org/ https://wiki.mozilla.org/Identity/BrowserIDSync

The plugin implements an experimental protocol for authenticating to ReSTful web services with the Verified Email Protocol, a.k.a Mozilla’s BrowserID project. It is designed for use in automated tools like the Firefox Sync Client. If you’re looking for something to use for human visitors on your site, please try:

http://github.com/mozilla-services/repoze.who.plugins.browserid

When accessing a protected resource, the server will generate a 401 challenge response with the scheme “OAuth+VEP” as follows:

> GET /protected_resource HTTP/1.1
> Host: example.com

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: OAuth+VEP url="/request_token"

The client should extract the url from this challenge and POST a VEP assertion to that location. This will create a new authentication session and return a set of OAuth client credentials:

> POST /request_token HTTP/1.1
> Host: example.com
> Content-Type: application/x-www-form-urlencoded
>
> assertion=VEP_ASSERTION_DATA

< HTTP/1.1 200 OK
< Content-Type: application/json
<
< {
<   "oauth_consumer_key": SESSION_TOKEN,
<   "oauth_consumer_secret": SESSION_SECRET
< }

Subsequent requests should be signed using these credentials in Two-Legged OAuth mode:

> GET /protected_resource HTTP/1.1
> Host: example.com
> Authorization: OAuth oauth_consumer_key=SESSION_TOKEN,
>                      oauth_signature_method="HMAC-SHA1",
>                      oauth_version="1.0",
>                      oauth_timestamp=TIMESTAMP,
>                      oauth_nonce=NONCE
>                      oauth_signature=SIGNATURE

< HTTP/1.1 200 OK
< Content-Type: text/plain
<
< For your eyes only:  secret data!

Session tokens are timestamped and will eventually expire. If this happens you will receive a 401 response as before, and should POST a new assertion to obtain fresh credentials.

0.1.0 - 2012-02-07

  • Initial release.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for rfk from gravatar.com rfk

Unverified details

These details have not been verified by PyPI
Project links
GitHub Statistics

View statistics for this project via Libraries.io, or by using our public dataset on Google BigQuery

Meta

License: UNKNOWN

Author: Mozilla Services

Tags authentication, repoze, browserid, oauth

Classifiers

Release history Release notifications | RSS feed

0.3.0

0.2.0

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

repoze.who.plugins.vepauth-0.1.0.tar.gz (17.7 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page