[Product-Developers] OAuth provider support in Plone via PAS add-on

Tommy Yu tommy.yu at auckland.ac.nz
Tue Aug 30 23:49:54 UTC 2011


Greetings,

Noting the lack of OAuth provider support within and around Plone (with the only references on this was something found on the Plone core developers list back in early 2008), I decided to get my hands dirty and wrote a PAS plug-in that provides authentication via OAuth.  I don't know if the Plone core developers might be interested in this, so I thought the add-ons community might be a better place to throw this around.  Anyway, I have put what I have so far available on github at:

https://github.com/metatoaster/pmr2.oauth

This is mostly created to demonstrate that OAuth can be added to Plone and be plugged into PAS.  Still very new, thus lacking some vital features and is probably dangerous due to lack of scope limitation.  Why?  Once a valid access token is generated with the user's credentials and used to access resources in Plone, the full set of permissions that the user possess will be granted, which can result in bad things (TM).  For the mean time please do not use it on your production sites, even if its danger may be mitigated by lack of usable UI to add any consumers (as if that's any consolation).

I hope to make this safer to use by adding in scope such that the content owner will be notified on which set of URIs/service the consumer is permitted to access (and more test cases to back this up), and make this extensible/configurable so people who might want to build/provide web service type access to (customized) resources on Plone can be done with ease.  Of course actually complete important features such that consumers can be added and allow users to revoke unwanted authenticated tokens with a couple simple clicks.

Further information on what this can do right now (and intend to do) can be found in the readme file within the subdirectories and the test cases.  If you have any comment/question/critique against this attempt to allow Plone to authenticate via OAuth please don't hesitate to reply.

Regards,
Tommy.


More information about the Product-Developers mailing list