OAuth-ify this: 2 Legged OAuth service for YQL

Introducing OAuth-ify/OAuthProxy, a service that performs two legged OAuth calls to backend webservices. As of today it only supports YQL.

Motivation:

With two-legged OAuth, there are only two parties involved i.e. the consumer of the api and the service provider. It doesn’t deal with user credentials or other private data that come into the picture with three-Legged OAuth. YQL is one of the services which uses OAuth exclusively for all webservice access. (apart from the console)

Two-Legged OAuth requires a user to sign the request in a spec mandated way and this implies that using a service such as Yahoo! Pipes to fetch non private data from YQL wasnt possible.

Requirements:

  1. The service should ask for everything it needs and respond with the result of the backend service. Simply put, the service must act as a proxy. Take in the Consumer Key, Consumer Secret and the YQL query, do the necessary signing and return the response.
  2. What if I do not want to expose my consumer key/secret for the fear of it being compromised? This brings up a requirement that there should be a way to mask the Key and Secret. This is accomplished today by explicit registration. The user is asked to register their Consumer Key and Secret with the service and in return they get an appId which is URI friendly.
  3. AppId should be disposable. If an AppId is compromised, it should be possible to regenerate a new one which inturn uses the same underlying key/secret pair. (Note that I still want the underlying Consumer Key and Secret to be the same for many track-ability reasons and relationship with the service provider)

Implementation:

I deployed on Google App Engine (for lack of a platform that runs Java on the cloud!) and picked up a bit of python along the way. I must say that GAE’s been pretty easy to pick up and use. Finally the service exposes two main endpoints

  • Executes a query given the following parameters (http://oauthify.appspot.com/yqlQuery)
    • Scenario 1: http://oauthify.appspot.com/yqlQuery?ckey=aghvYXV0aGlmeXIOCxIIVXNlcklhZm8YBgw&csecret=PQ&q=show%20tables
      • ckey – Consumer Key (required)
      • csecret – Consumer Secret (required)
      • q – YQL Query (defaults to show tables)
      • format – xml or json (passed to the backend) (defaults to XML)
    • Scenario 2: http://oauthify.appspot.com/yqlQuery?appId=aghvYXV0aGlmeXIOCxIIVXNlcklhZm8YBgw&q=show%20tables
      • appId – App Id provided by the service. (Also see the next endpoint)
      • q – YQL Query
      • format – (same as above)
      • Note that the prequel to this Scenario is that the user gets the appId by registration.
  • Register the Consumer Key and Secret to get an appId (http://oauthify.appspot.com/register)
    • Requires a user to Login (using a google account). This is to protect the user’s Key and Secret.
    • Provides a way to store CK and CS
    • Provides a way to see all previously stored Keys and to regenerate AppIds as needed.

Finally:

Was the Goal of running 2 Legged YQL in Pipes accomplished? Yes! check out http://pipes.yahoo.com/nageshs/yqlquery which uses a PrivateString fields to use CS and CK from Scenario 1 above and last but not the least http://pipes.yahoo.com/nageshs/yqlquerymodule which uses an AppId from the web service. Here is a screen shot of the Pipe. I’m not in the least worried about sharing my AppId, since OAuthify will let me regenerate it any time I like ;-)

Enjoy & Curl your YQL queries today!

Update 1: Thanks to Sam, OAuthify is now accessible via the rightly named domain http://OAuthProxy.com

Share
  • del.icio.us
  • Facebook
  • Digg
  • description

No related posts.

  • Bethany K Ford

    nice article! nice site. you're in my rss feed now ;-)
    keep it up

  • http://www.konolive.com Miki

    Great post!

    I have a question: where can I find use of 3 Legged OAuth with java ?

  • http://nagiworld.net Nagesh Susarla

    Hi Miki,

    You can use the oauth code up at http://oauth.googlecode.com/svn/code/java/ to perform the 3 legged OAuth.
    For Yahoo services we do intend to publish a java SDK which is customized to perform 3 legged OAuth and mirror the features in our PHP SFK. Stay tuned for that. Let me know if that answers your question.

  • Miki

    10x .
    Your reply answer my question.

  • Miki

    10x .
    Your reply answer my question.

  • http://www.tourtravelchina.com/ China Tour

    Different point of view from that post. Interesting to say the least.

  • http://freedomaintricks.blogspot.com mihir1

    THANKS NAGESH I WAS SEARCHING THE SAME :)

  • http://www.instrumentals.bizz.cc richardz315

    wow i really found this to be interesting. thanks for sharing

  • http://www.hai91.com free games

    Thanks man i was searching for the exact same thing. Really appreciate your posts Nagesh

  • http://www.balesworldwide.com/nile-cruise.html Nile Cruises

    Thanks for the useful posts. Hope this solve my problem.

  • http://sweethomeimprove.com Sweet_Home_Improvement

    Great post, really help me alot. Thanks.

    Cheers,
    sweethomeimprove.com

  • http://www.freefootballgames.org play football games

    Hi Nagesh i have question for you? How do these pipes really works. I want to use yahoo pipes for reading rss. Is there any way i can read summarized rss as full with pic from yahoo pipes.

  • http://www.virtualsocialmedia.com/ Social Media Services

    I too found it very intresting.

  • http://www.uk-cheapest.co.uk/domain.php Buy Domain Names

    Two-Legged OAuth requires a user to sign the request in a spec mandated way and this implies that using a service such as Yahoo! Pipes to fetch non private data from YQL wasnt possible.

    Thanks and Regards

  • http://www.uk-cheapest.co.uk/hosting.php Cheap Web Hosting

    This AppId should be disposable. If an AppId is compromised, it should be possible to regenerate a new one which inturn uses the same underlying key/secret pair. (Note that I still want the underlying Consumer Key and Secret to be the same for many track-ability reasons and relationship with the service provider)

    CHEERS!

  • http://credit-card-processing.123vendors.com/ecommerce-merchant-account.asp ecommerce merchant account

    I do not want to expose my consumer key/secret for the fear of it being compromised? This brings up a requirement that there should be a way to mask the Key and Secret. This is accomplished today by explicit registration. The user is asked to register their Consumer Key and Secret with the service and in return they get an appId which is URI friendly.

    Thanks and Regards

  • http://www.hipscopes.com/ Horoscopes

    I think the most useful thing about this is, AppId is disposable. AppId may be compromised; so to regenerate a new one which uses the same underlying key is really essential. And, I think the aim of
    2 Legged YQL in Pipes was achieved. Thanks Nagesh, for sharing this useful information.

  • http://www.cosmeticdentistryguide.co.uk/dentists/surrey-cosmetic-dentist.html cosmetic dentists surrey

    thanks for a nice share. What a phenomenal article you have shared with us. I really appreciate you for this wonderful work and made this happened.

  • http://credit-card-processing.123vendors.com/merchant-service-benefits.asp benefits of merchant services

    Thanks for sharing this post with us.

  • http://www.hobbybreeders.com/Breeders/ Dog Breeders

    For Yahoo services we do intend to publish a java SDK which is customized to perform 3 legged OAuth and mirror the features in our PHP SFK. Stay tuned for that. Let me know if that answers your question.

  • http://www.lernerlemongello.com/ Cosmetic dentists Palm beach

    I am interested to know about pipes as well i want to use them in my autoblogs. Do you think that autoblog has the worth? or its just the waste of time. Please advice thanks

  • dentist

    Hope will learn java soon..

    Dentist in Brighton
    Dentists in Brighton

  • http://tripletsmommy.com/free-baby-samples-ebook Free diapers

    With two-legged OAuth, there are only two parties involved i.e. the consumer of the api and the service provider. It doesn’t deal with user credentials or other private data that come into the picture with three-Legged OAuth. YQL is one of the services which uses OAuth exclusively for all webservice access. (apart from the console)

  • http://www.yourpr.de/box/medusa-united-media-gmbh Tom Medusa

    Hi nagesh,

    I am new to pipes i want to know that i have tried making pipes but they are not working on my auto-blog have you got any idea on how to do it? By using pipes i want to reduce the load on my server.

  • http://www.bloomingdirect.com gifts for gardeners

    I am still very confused about using of yahoo pipes. I would like to make a summuraized rss feeds to full rss.

  • http://www.getpaidtodosurveysnow.com/ Get Paid To Do Surveys

    Hey I'v been reading your blog from quite some time now and I just wanted to say keep up the good work.

  • http://www.taxihirebangalore.com corporate car hire bangalore

    backend web services are very useful in dealing with any application programs. It is a very useful post i will try to implement it.

  • http://www.moviesforfree.tv Watch Movies Online

    I am new to pipes i want to know that i have tried making pipes but they are not working on my auto-blog have you got any idea on how to do it? By using pipes i want to reduce the load on my server.

  • http://www.reser.se/europa/grekland/kreta/ kreta

    Hi Nagesh, Thanks for the brilliant article. I want your suggestion that is this possible to make summarize rss feeds to full without altering it content. I want to use some summarize feeds for my site.

    Thanks in advance

  • http://www.xn--72c0baa2eyce3a4p.com/ Career

    Some good points raised in that post. Will be back to check for more.

  • itjobs1

    Thanks for the useful posts

  • http://www.printingforu.com/ Full color printing

    AppId may be compromised; so to regenerate a new one which uses the same underlying key is really essential. And, I think the aim of
    2 Legged YQL in Pipes was achieved. Thanks Nagesh, for sharing this useful information.

  • http://www.questia.com/questialibraryplus iphone Library App

    Two-Legged OAuth requires a user to sign the request in a spec mandated way and this implies that using a service such as Yahoo! Pipes to fetch non private data from YQL wasnt possible.

  • http://yournetbizreviewmentor.com/ YourNetBiz

    Two-Legged OAuth requires a user to sign the request in a spec mandated way and this implies that using a service such as Yahoo! Pipes to fetch non private data from YQL wasnt possible.

  • http://professional-suggestion.com/ Uninstall Program

    Thanks for your article! It's very helpful for me!

  • jalmars

    Excellent service!

    Do you consider the option of adding support for the callback parameter in addition to format=json? I tried appending it to the URL but it does not seem to be passed to the backend.

  • http://www.orientalrugcare.com/ Oriental Rug Cleaning Miami

    Hi Nagesh, Thanks for the brilliant article.

  • http://www.moldremoval.org Mold Removal Orlando

    THANKS NAGESH I WAS SEARCHING THE SAME!Great post!wow i really found this to be interesting.

  • http://security-wire.com/10/how-to-remove-smart-engine-rogue-anti-spyware.html remove smart engine virus

    Thanks for the information provided!

  • http://www.delicious.com/ritabowersox Lorraine Walker

    Extremely informative publish right here. Thank you for sharing your knowledge with me. I’ll definitely be back again.

  • http://url.org/bookmarks/oscarousley Pearl Stouffer

    Great information shared..I am very happy to look at this site..appreciate for giving us nice info.Fantastic walk-through. I appreciate this website.

  • Amitsingh Chauhan

    I am wondering if this stores queries into some database ?

  • http://www.orientalrugcare.com/33011.rug-cleaning-miami.html Rug Cleaning Miami

    Great post, I concur completely and appreciate the time you took to write it. Cheers!

  • http://www.aaaviza.com/index.php credit card payment terminal

    thanks for the great share

  • http://www.orientalrugcleaningbyhand.net/ Rug Restoration Palm Beach

    I’m impressed. I do not suppose i’ve met anyone who knows just as much concerning this subject as you do.

  • http://dorothysimmons.multiply.com/links/item/19/Oriental_Rug_Cleaning Kathryn Elliott

    This post have been extremely insightful and necessary to increase my knowledge in the area of knowledge and its many facets.

  • http://www.orientalrugcleaningbyhand.com/ Rug Cleaning Palm Beach

    It was interesting. You seem very knowledgeable in your field.

  • http://dorothysimmons.7live7.org/Bookmarks/default.aspx Lori Baker

    Thanks For This Post, was included in my blog.

  • http://www.orientalrugcleaningbyhand.com/ rug cleaning palm beach

    This is a great start. I am going to surely be looking towards any updates or upgrades. This can be truly revolutionizing! 

  • http://www.orientalrugcleaningbyhand.com/ Rug Cleaning Delray Beach

    Wonderful blog.. Want to some time to think about the website

  • http://www.orientalrugcare.com/ Rug Cleaning Miami

    Wow! Appreciate it! I always wanted to write within my website something like that.Look forward to reading your next site.
     

  • http://www.orientalrugcleaningbyhand.com/ Rug Cleaning byhand Palm Beach

    Great info! Thanks for publishing. We’ll be returning shortly from now.

  • http://www.orientalrugcare.com/ Rug Cleaning Ft Lauderdale

    This was an excellent read – well considered and insightful. 

  • http://www.orientalrugcleaningbyhand.net/ rug cleaning west palm beach

    This can be my very first time I’ve visited this website. I discovered a great deal of interesting stuff within your blog.

  • http://www.orientalrugcare.com/ Carpet Cleaning Palm Beach

     Thanks very much for your interesting article. I have been looking for such post for a really long time.

  • http://www.orientalrugcleaningbyhand.net/ rug cleaning boca raton

    I’ve been looking for a website the same as this for some time now.

  • http://www.orientalrugcleaningbyhand.net/ Oriental Rug Jupiter Island

    Appreciate take time to put this together.

  • http://twitter.com/HouyhnhnmTwit hou nym
  • Utred

    Different techniques use for the web servos. The best service is they’ll it’s for the sale site. This leads for the complete back up system for the proper feedback. This system is properly done by the yahoo.

blog comments powered by Disqus