Tuesday
03Mar2009
OAuth MVC.net Revisited
Tuesday, March 3, 2009 at 10:12PM
My Foray into OAuth with MVC.net is getting more thorough. I quickly came upon a problem in the project as it stood with regards to the signing methods I'd used.
I'd grabbed the OAuth base class from the samples available over on [oauth.net](http://www.oauth.net) but quickly found out (well actually not that quickly, I still had to throw away a lot of code) that the signing method is deeply flawed. I personally belive that this file should be either fixed or dumped, it shouldn't be held up as an example of OAuth.net.
I looked at the other libraries available for OAuth and here are my thoughts:
* [dotnetopenid/dotnetopenauth](http://github.com/AArnott/dotnetopenid/tree/master): while I think this is a great library for OpenID i think it's obfuscated a few things too many about the signing process. I found the library really hard to get a handle on what was happening where, I suggest you take a look at this as no doubt it's a very feature rich library, but it didn't suit my TDD development process and didn't give me the understanding I wanted over the process going on
* [OAuth Library for .net](http://code.google.com/p/oauth-dot-net/): this seemed promising at first but I found that the library was too rooted in the old ASP.net page lifecycle and would have taken a fair amount of work to rip out all the references to HttpContext, again it just didn't suit my development processes.
* [DevDefined.OAuth library](http://code.google.com/p/devdefined-tools/): While documentation is lacking for this library compared to the others, it's not hard to get a handle on the code. It's lightweight and mimics my mental model of the OAuth Provider workflow. I found this the easiest to understand and tweak to my liking.
So I settled on DevDefined.OAuth library and made a number of changes to allow it to integrate with my TDD cycle, and had to make a couple of changes to get it to adequately work as a provider.
I've not fully tested the solution yet but I'm pretty happy that the simple cases are covered.
So the codes been fully refactored/rewritten (urgh! A rewrite after only a week!) and I've uploaded to [github](http://github.com/buildmaster/oauth-mvc.net/) with the modified DevDefined.OAuth library, I've also submitted a patch to [Alex Henderson](http://blog.bittercoder.com) so that the changes I've made wont be lost, however they rely on the ASP.net MVC framework (for HttpContextBase and HttpResponseBase) so I'm not sure how that should be handled. I might have to suggest a branch.
So grab the code, check the sample (which will allow you to authenticate with a consumer key "key" and consumer secret "secret")
You'll need to implement your own ITokenStore, IConsumerStore and INonceStore for your own application.
I'll be adding some more changes as we go along but at the moment it supports:
* Automagically adding two urls to your site (/oauth/RequestToken, /oauth/AccessToken) which will handle requests for RequestTokens and AccessTokens
* An Authorization filter called OAuthSecured just add this to any controllers/actions you want to be secured resources.
* A binder to allow you just to take in an IOAuthContext (or IToken or IConsumer as IOAuthContext implements these) as a parameter to your mvc actions.
Take a look at the sample and feedback is always welcome.
I'd grabbed the OAuth base class from the samples available over on [oauth.net](http://www.oauth.net) but quickly found out (well actually not that quickly, I still had to throw away a lot of code) that the signing method is deeply flawed. I personally belive that this file should be either fixed or dumped, it shouldn't be held up as an example of OAuth.net.
I looked at the other libraries available for OAuth and here are my thoughts:
* [dotnetopenid/dotnetopenauth](http://github.com/AArnott/dotnetopenid/tree/master): while I think this is a great library for OpenID i think it's obfuscated a few things too many about the signing process. I found the library really hard to get a handle on what was happening where, I suggest you take a look at this as no doubt it's a very feature rich library, but it didn't suit my TDD development process and didn't give me the understanding I wanted over the process going on
* [OAuth Library for .net](http://code.google.com/p/oauth-dot-net/): this seemed promising at first but I found that the library was too rooted in the old ASP.net page lifecycle and would have taken a fair amount of work to rip out all the references to HttpContext, again it just didn't suit my development processes.
* [DevDefined.OAuth library](http://code.google.com/p/devdefined-tools/): While documentation is lacking for this library compared to the others, it's not hard to get a handle on the code. It's lightweight and mimics my mental model of the OAuth Provider workflow. I found this the easiest to understand and tweak to my liking.
So I settled on DevDefined.OAuth library and made a number of changes to allow it to integrate with my TDD cycle, and had to make a couple of changes to get it to adequately work as a provider.
I've not fully tested the solution yet but I'm pretty happy that the simple cases are covered.
So the codes been fully refactored/rewritten (urgh! A rewrite after only a week!) and I've uploaded to [github](http://github.com/buildmaster/oauth-mvc.net/) with the modified DevDefined.OAuth library, I've also submitted a patch to [Alex Henderson](http://blog.bittercoder.com) so that the changes I've made wont be lost, however they rely on the ASP.net MVC framework (for HttpContextBase and HttpResponseBase) so I'm not sure how that should be handled. I might have to suggest a branch.
So grab the code, check the sample (which will allow you to authenticate with a consumer key "key" and consumer secret "secret")
You'll need to implement your own ITokenStore, IConsumerStore and INonceStore for your own application.
I'll be adding some more changes as we go along but at the moment it supports:
* Automagically adding two urls to your site (/oauth/RequestToken, /oauth/AccessToken) which will handle requests for RequestTokens and AccessTokens
* An Authorization filter called OAuthSecured just add this to any controllers/actions you want to be secured resources.
* A binder to allow you just to take in an IOAuthContext (or IToken or IConsumer as IOAuthContext implements these) as a parameter to your mvc actions.
Take a look at the sample and feedback is always welcome.
Reader Comments (6)
Re: HttpContextBase / ResponseBase. These are .Net 3.5 SP1, not ASP.Net specific
Thanks for the correction Josh, The HttpContextBase and ResponseBase classes are in 3.5sp1, originally they were in the work done for http://ASP.net" rel="nofollow">ASP.net MVC which led to my erroneous comment in the post.
I'll correct the post and we'll see if the patch is in Alex Henderson's repository.
First off, thanks for rolling this code. I'm using OAuth in an MVC app (or trying to, anyway). I prefer to have access to the source, so I downloaded the source DevDefined.OAuth repo and am trying to meld your code with it. So, I'm curious what changes you made to that library to support MVC specifically. I'm running into an issue with the library even running correctly, so just thought I'd ask. =) Specifically, the request headers are read-only, so when a request comes in that doesn't have any auth information, some of the code that binds properties to a header value fails to write a temp value. Or something along those lines. :)
First of all I join the other commenters in thanking you for your effort creating this implementation of OAuth for MVC. It's just what I was looking for. However, I tried the sample MVC project but it does not have the SignIn controller. Is this just not checked in to github?
Thanks
great theme, and thank for the post
Thanks for your effort to create this OAuth implementation for MVC. I also tried to run the sample, but the SignInController is not present in the sources, so NInject fails to create it. Is there anything I can do about it?