Owen's Blog

The controversial (to say the lease) piece of rubbish legislation that is Section 92A has been delayed by parliament due somewhat to the presure we put on government through protests etc.

It’s not over but this is the first sign that anyone’s actually listening.

[More here](http://creativefreedom.org.nz/story.html?id=170)

Well this is my first foray into the world of objective-c programming, but I’ve added a sample consumer for mac os x to the ms-mvc OAuth project, I know it’s not mvc specific (I’m going to write an mvc consumer next) but as I program on my Mac it was useful for me to have a test client that I could just run as an application. It still has work to do (most of my day was learning how to actually get the program up and running, it’s not doing a huge amount yet) but it’s a work in progress.

As will all my projects I like to release early and release often.

also this is my first project using git as a source repository, it’s really interesting to remember that I can check in at any time, it’s just the push to the core repository that i have to worry if everything is building OK. Git is really nice and I will be thinking about using it more in future. I might have to put up an explanatory post to help others that don’t “get” distributed version control yet.

In other news I attended the blackout protest at parliament on Thursday which was interesting, so many geeks in one place without a white board or post it notes was a strange experience.
Hopefully we can get S92a repealed but I’m still sceptical of politicians. Will be pushing the blog to be off-line and blacked out completely on Monday so don’t worry if you can’t get to it, it’ll be back on Tuesday.

Let me introduce you to a little friend called OAuth. OAuth is an open authentication framework designed for use by web service providers allowing you to give access to applications without giving them access to user credentials.

I’ve been working on an OAuth library to turn an ASP.net MVC site into an OAuth Provider (a service that can accept incoming requests from OAuth Consumer applications)

So far it consists of the following:

OAuthController has endpoints for RequestToken and AccessToken http requests.

OAuthSecuredAttribute is an action filter to stop access to an action if the requester isn’t authenticated via OAuth

OAuthService has intermediary services for the attibute and controller for:

• Building an OAuth request (Access, Access Token and Request Token Requests)
• Generating Request Tokens
• Generating Access Tokens
• Getting a saved Request Token
• Authorising a Request Token

OAuthRequest is a state wrapper to quickly examine if the current OAuth Request is valid

You are left to your own devices to implement the following:

IAccessToken

IRequestToken Token objects that need to be saved and have a token string and a secret string also have some other elements

IConsumer contracts for consumers of your service, should be able to return a secret key, a TimeStamp of the last request the consumer made (and integer, see the OAuth Specs), a list of valid request/access tokens, save a nonce for current TimeStamp value, determine weather a nonce is valid (hasn’t been used with the current TimeStamp)

ITokenGenerator generate new request and access tokens, setting the secret and token strings

I’ve used the OAuthBase class available in the OAuth sample code

There’s a sample project so people can see how it should be used.

So head over to the project and check it out. oauth-mvc.net

PS. I’m not saying that MVC is the best way to build services, just that it’s the framework I needed to use, Alex Henderson has done some work on using OAuth with WCF projects

Work is currently underway to get an open API into Xero. For customers this development will mean the introduction of many more ways to make accounting easier. from Payroll solutions such as [iPayroll](http://ipayroll.co.nz) to alternative invoicing solutions such as [Freshbooks](http://www.freshbooks.com) we wanted to open up the Xero API to foster as much innovation in this field as possible.

Version 1 of our API was made available only to selected parters of Xero n the next step is to open this up to the public however there were a few requirements we have to meet first

1. **We don’t want to open your books:**
We care a great deal about the security of your data, we don’t have access to it, only you and the people you invite do. We WILL NOT let the API become a work around for this, any access to your data via the API will be strictly authorised by you.

2. **We don’t want people to have to jump through hoops just to connect to Xero:**
We want to foster innovation, and as such we need to make it as easy as possible to connect to Xero without compromising point 1.

After careful consideration we’ve decided that the best solution is to go with an OAuth and open specification for Authorisation specifically designed for needs such as ours.

We’re hard at work making an Open API compatible with OAuth but we want to start communicating what it will mean for our users and API solution providers.

First let’s go through the experience as a User of Xero:
Presume you want to link up your accounts to a payroll engine such as iPayroll

First you would log into your account at iPayroll and under interfaces there would be a link “Set-up Xero with iPayroll”

Clicking on the link/button you would see Xero’s sign in screen. It is important that you check the url of the screen as it is highly important that you only use your Xero username/password on a Xero.com web page and no where else. (also see [this](http://blog.xero.com/2009/02/protecting-passwords-your-best-security/) advice on passwords)

Once you log in you’ll be asked by Xero to allow iPayroll to access your accounts and you can select which organisations you want iPayroll to have access to:

If you allow access to your account you’ll only allow access to features that you have access to, if you can’t do something in xero the connected application will be unable to do that action.

Once you click on Allow you’ll be redirected back to iPayroll to continue setting up the connection.

There are still a few things to work out from our end (one being the pages you’ll see when going through the process, the above samples are just mock-ups that I hastily created)

For developers there are going to be some major changes to the way connections to Xero are handled, and right now I suggest going over to oauth.net and reading the spec or getting started guide so you can get an idea of what will be required in future.

We’ll also try and ensure that we get a guide up here as we develop the API. for now treat this as a heads up and a demonstration of what the future will be for the Xero API.

You may have noticed my site has lost it’s usual texture and colour.
The reasoning is simple:

- New Zealand, despite being a country of wonder and great people, have been subjected to a miscarriage of politicking.
- New Zealand, despite being a country that claims to encourage and embrace a technologically savvy work force is threatening the very infrastructure that allows many of us to earn a living.
- New Zealand, despite being a country based on a rule of law that states innocent until proven guilty, is slipping into draconian heavy handed law making.

New Zealand is stepping down the wrong path
=============

we need to pull it back

we need the politicians to listen.

if you haven’t already: sign the petition and write to your MP.

[Repeal Guilt upon Accusation laws](http://creativefreedom.org.nz/blackout.html)

Lunch With Geeks will be back on as of Tuesday 10th February.

details are:

It’s been quite some time since we had a get together. January has
been and gone (gees where did it go?) and as such I thought we could
organise another get together in the name of Geekdom.

As such I propose a lunch at 12pm, on Tuesday Feb. 10th here at Xero
(because it’s easier to organise for me, but I’m still open to
suggestions of elsewhere)

as per usual, it’s BYO lunch (one day I might put out a call to have
some sponsors supply lunch and we can do a whole Lunch 2.0 thing)

Send me your topics.

I’m proposing:
How do you learn? It’s a new year and as such I need to learn a new
development language, I’m interested in hearing how people approach
the challenge of continuous learning and what techniques people use.

You can also track the Lunch With Geeks events in two places:
http://wellington.geek.nz/group/wellington-geeks-lunch
and
http://groups.google.com/group/wellington-geeks

I’ve just had a post published on the Geekzone Visual Studio 2008 blog, to kick of a new month of posts. check it out here