Library for OAuth Provider (Java)

Question

I'm looking for a Java library that helps me building an OAuth Provider. I must be able to receive OAuth signed requests and determine whether they are valid or not (checking the signature, timestamp and nonce values).

Do you know if there's something out there that makes this task easier?

In other words, what your are looking for is a Java library that realizes an OAuth *provider*, not *consumer*. You may want to edit your question to correct that. — mxk, Mar 21 '10 at 10:59
Pablo, please change your question title and your question to reflect the intention. You want a OAuth Provider... — Hendy Irawan, Dec 22 '10 at 18:50
I was *JUST* about to link you to Scribe (https://github.com/fernandezpablo85/scribe-java) when I noticed that you're its author! Did you actually end up writing the library yourself ? ;-) — Hendy Irawan, Dec 23 '10 at 08:26
@Hendy I had to write a **client** library (scribe) because all other sucked. I didn't need to write the server side stuff (provider). Maybe if there is enough need sometime I'll do some "scribe-server" thing. Thanks — Pablo Fernandez, Dec 23 '10 at 14:38
scribe? hmmm... i confused. Is there any twitter updating status example over there? I found none... :( — gumuruh, Nov 11 '11 at 09:16

score 30 · Answer 1 · answered Dec 23 '10 at 08:28

Scribe is an OAuth library for Java, written by the asker himself. ;-)

Note: I post this here as an answer so that other googlers have a choice of alternatives. For another library-based alternative, see my other answer "Jersey OAuth signature library".

Some code to illustrate usage:

OAuthService service = new ServiceBuilder()
                                  .provider(TwitterApi.class)
                                  .apiKey("your_api_key")
                                  .apiSecret("your_api_secret")
                                  .build();
...
Token requestToken = service.getRequestToken();
String your_token = requestToken.getToken();
...
Verifier verifier = new Verifier("your_previously_retrieved_verifier");
 Token accessToken = service.getAccessToken(requestToken, verifier);

Creating the request:

OAuthRequest request = OAuthRequest(Verb.GET, "http://api.twitter.com/1/direct_messages.json");
service.signRequest(accessToken, request);
Response response = request.send();

Thank you for information. But note that this code snippet doesn't work for Android 4 and more. It seems like Android 4 needs asynchronous tasks. — trante, Jul 25 '13 at 18:11

Pascal Thivent · Answer 2 · 2009-11-14T16:30:43.997

One library mentioned on http://oauth.net/code looks interesting (I'm excluding the OAuth for Spring Security and OAuth Signpost which are not what you're looking for):

A Java library and examples were contributed by John Kristian, Praveen Alavilli and Dirk Balfanz.

~~OAuth for Spring Security is also available, contributed by Ryan Heaton. This project is not hosted in the OAuth repository.~~

OAuth Signpost offers simple OAuth message signing for Java and Apache HttpComponents (Google Android ready!). Contributed by Matthias Kaeppler.

I've checked the Java library a bit further and I think that its providing everything required for client-side and server-side code. The following blog post has actually a full example and I'm pasting the server code below (a JSP):

<%@ page import="net.oauth.server.*"%>
<%@ page import="net.oauth.*"%>

<%
//Presumably this should actually be looked up for a given key.
String consumerSecret="uynAeXiWTisflWX99KU1D2q5";

//Presumably the key is sent by the client. This is part of the URL, after all.
String consumerKey="orkut.com:623061448914";

//Construct the message object. Use null for the URL and let the code construct it.
OAuthMessage message=OAuthServlet.getMessage(request,null);

//Construct an accessor and a consumer
OAuthConsumer consumer=new OAuthConsumer(null, consumerKey, consumerSecret, null);
OAuthAccessor accessor=new OAuthAccessor(consumer);

//Now validate. Weirdly, validator has a void return type. It throws exceptions
//if there are problems.
SimpleOAuthValidator validator=new SimpleOAuthValidator();
validator.validateMessage(message,accessor);

//Now what? Generate some JSON here for example.
System.out.println("It must have worked"); %>

This looks close to what you want.

Just to clarify: Pascal crossed these libraries out because they are being used for client-side OAuth only. What the author is looking for, however, is a server-side OAuth library. — mxk, Mar 21 '10 at 11:00
Looking at the blog post, it seems to be omitting the token secret (so signature verification shouldn't work). Also, SimpleOAuthValidator never actually checks nonce values meaning that this implementation is vulnerable to replay attacks out of the gate. It could still be useful as a starting point, but you will need to build from it to make it functional and secure. — MW., Jul 01 '13 at 07:18

score 4 · Answer 3 · edited Feb 14 '14 at 16:50

You can use the Jersey OAuth Signature Library.

Simple OAuth authentication for a servlet or filter may be set up using a Container Filter, which filters the request before the request is matched and dispatched to a root resource class. The Container Filter is registered using initialization parameters which point to a user defined class, such as the following:

public class OAuthAuthenticationFilter implements ContainerRequestFilter {
    @Override
    public ContainerRequest filter(ContainerRequest containerRequest) {
        // Read the OAuth parameters from the request
        OAuthServerRequest request = new OAuthServerRequest(containerRequest);
        OAuthParameters params = new OAuthParameters();
        params.readRequest(request);

        // Set the secret(s), against which we will verify the request
        OAuthSecrets secrets = new OAuthSecrets();
        // ... secret setting code ...

        // Check that the timestamp has not expired
        String timestampStr = params.getTimestamp();
        // ... timestamp checking code ...

        // Verify the signature
        try {
            if(!OAuthSignature.verify(request, params, secrets)) {
                throw new WebApplicationException(401);
            }
        } catch (OAuthSignatureException e) {
            throw new WebApplicationException(e, 401);
        }

        // Return the request
        return containerRequest;
    }
}

Where can we find a full working sample (with unit tests)? Thanks. — yves amsellem, Nov 22 '11 at 11:34

score 1 · Answer 4 · answered Nov 13 '09 at 21:16

1

There is an OAuth plugin for Spring Security

answered Nov 13 '09 at 21:16

Kevin

30,111
9
76
83

I'm not using Spring in my project but Guice. – Pablo Fernandez Nov 13 '09 at 21:21

score 0 · Answer 5 · answered Nov 13 '09 at 21:48

0

Looks like there's a Subversion repo for a library at http://oauth.googlecode.com/svn/code/java/. Looks like you'll have to checkout and run maven to get executables though.

If you go into example/webapp/src/main/java they have some examples of consuming from Twitter, Yahoo, & others.

answered Nov 13 '09 at 21:48

Jason Gritman

5,251
4
30
38

2

I Think those are client only libs – Pablo Fernandez Nov 13 '09 at 23:07

score 0 · Answer 6 · answered Dec 22 '10 at 18:57

0

Jersey (the reference implementation of JAX-RS) supports OAuth through a Jersey extension called OpenSSO Auth Filter. However this requires an additional OpenSSO server instance. See this document for more information.

Note that OpenSSO has been discontinued by Oracle and is now under ForgeRock as OpenAM.

answered Dec 22 '10 at 18:57

Hendy Irawan

20,498
11
103
114

hey... hendy have you ever tried the Scribe library? I'm a bit confused how to deal with that library... since It has no javadoc files over there. :( – gumuruh Nov 11 '11 at 09:20

Library for OAuth Provider (Java)

6 Answers6

Linked