Log in

OAuth for Elgg 1.8

Last updated 778 days ago

This plugin makes available a fully functional OAuth consumer library and service provider library for Elgg. OAuth is a distributed API authentication protocol that allows users to delegate API access to their data without divulging their credentials to the API-consuming party. This plugin supports both version 1.0 and revision 1.0a of the OAuth protocol.

OAuth is a security protocol that allows delegated API access. What this means is that you can use it to allow one site to access your data on another site without having to save your username and password all over the place. This library sets up Elgg as both an OAuth server and client.

The client aspect here allows Elgg to act as an OAuth client on behalf of you to access protected resources on other sites. The Twitter API, for example, uses OAuth for authentication. We are currently working on Wordpress and MediaWiki plugins to allow for authenticated access between Elgg and these pieces of software. That's not to say that this plugin is a client for Twitter, Wordpress, or MediaWiki in and of itself: that's left to other plugins. What this plugin allows is for those plugins to use OAuth as an authentication mechanism to access the APIs of those pieces of software.

The server aspect allows you to write another piece of software, say on another website or a desktop client, that could access the Elgg API. This will be more useful once we see the API revisions in the next release.

The advantages to using OAuth are many. No username and password get sent across the wire between sites, ever. No need to store more than an opaque token on the client. It's an active standard with an established community. It's got great industry adoption, too.

This library could act as the basis for connecting Elgg sites together in a secure manner, allowing for mobile profiles and smart access to protected Elgg resources between sites, but it does not do that directly itself.

Some preliminary documentation is available on the wiki: http://docs.elgg.org/wiki/OAuth

This plugin depends on the url_getter plugin: http://community.elgg.org/pg/plugins/jricher/read/521642/url-getter

Release Notes:

- fixed return parameter in authorization page (RFC compliance)

- fixed deprecated function calls in several places


  • dterango 795 days ago


    I appreciate your help, but still not working, oauth_callback_confirmed isn't included in Request Token provider's response as needed. Looked into the code I found this:

                // Build the new url
                $newUrl = substr_replace($url, $separator . 'oauth_verifier=' . $tokEnt->verifier . '&oauth_token=' . $tokEnt->requestToken . '&oauth_callback_confirmed=true', $insertPosition, 0);

    But it's on actions/authorize.php. Where can I add a similar setence for the attribute to be included in request negotiation?

    Thanks in advance!

  • Justin Richer 794 days ago

    Yes, you're right, I added it to the wrong part of the protocol negotiation. I'll update things and get back a new revision shortly. Thanks for your patience!

  • dterango 779 days ago


    echo $token . '&oauth_callback_confirmed=true';

    in pages/requesttoken.php

  • Justin Richer 778 days ago

    Yes -- I apparently forgot to upload the plugin. New version (0.10.5) should be up for 1.8 now, please try it out and see if it fixes your issue.