Log in

OAuth for Elgg 1.7

Last updated 770 days ago

This plugin makes available a fully functional OAuth consumer library and service provider library for Elgg. OAuth is a distributed API authentication protocol that allows users to delegate API access to their data without divulging their credentials to the API-consuming party. This plugin supports both version 1.0 and revision 1.0a of the OAuth protocol.

OAuth is a security protocol that allows delegated API access. What this means is that you can use it to allow one site to access your data on another site without having to save your username and password all over the place. This library sets up Elgg as both an OAuth server and client.

The client aspect here allows Elgg to act as an OAuth client on behalf of you to access protected resources on other sites. The Twitter API, for example, uses OAuth for authentication. We are currently working on Wordpress and MediaWiki plugins to allow for authenticated access between Elgg and these pieces of software. That's not to say that this plugin is a client for Twitter, Wordpress, or MediaWiki in and of itself: that's left to other plugins. What this plugin allows is for those plugins to use OAuth as an authentication mechanism to access the APIs of those pieces of software.

The server aspect allows you to write another piece of software, say on another website or a desktop client, that could access the Elgg API. This will be more useful once we see the API revisions in the next release.

The advantages to using OAuth are many. No username and password get sent across the wire between sites, ever. No need to store more than an opaque token on the client. It's an active standard with an established community. It's got great industry adoption, too.

This library could act as the basis for connecting Elgg sites together in a secure manner, allowing for mobile profiles and smart access to protected Elgg resources between sites, but it does not do that directly itself.

Some preliminary documentation is available on the wiki: http://docs.elgg.org/wiki/OAuth

This plugin depends on the url_getter plugin: http://community.elgg.org/pg/plugins/jricher/read/521642/url-getter

Release Notes:

Fixed a minor memory leak with callback URLs, fixed labeling problem on register page.


  • poppler 1136 days ago



    using this. a user of my website, could make a "elgg connect":) for your own site?


  • Codebrane 1090 days ago

    I read the wiki where it says:

    "To register your consumer on the Elgg site, select Applications from the Tools menu, then "Registered Consumer Applications". From here you can register a new consumer which you can then use to access the Elgg site"

    but there's only a button on the left that says "Authorized Application Tokens" which doesn't do anything. There's no way to register a consumer. "Registered Consumer Applications" doesn't exist.

    Can you advise please?

  • Codebrane 1090 days ago

    OK so I found it eventually under Administration -> Register Consumer Applications.

    Does this mean you have to be an admin to use the plugin? How would a normal user allow a registered inbound consumer to access their account? When I go to Tools -> Applications nothing is there to allow the user to grant the newly registered inbound consumer access to their account.

  • Justin Richer 1090 days ago

    @Codebrane: Oh, looks like the wiki is out of date. I'll go fix that, thanks.

    Yes, an administrator needs to add the consumer to the site. This restriction was requested by several people for security reasons. However, any end user can authorize a registered consumer to access their account. To do that, you actually start at the *client* side, and during the process the user will be prompted to authorize whatever application is asking for access.

  • Antoni Bertran 1084 days ago

    Hello I'm new developing for Elgg and probably I am asking a stupid thing but I don't know how to do.

    I want to do a Consumer, to do that I read in wiki http://docs.elgg.org/wiki/OAuth#Using_your_Consumer I have to do a new plugin (new folder in mod) and create a start.php in file with this content

    register_elgg_event_handler('init', 'system', 'blti_consumer_init');

    function blti_consumer_init(){

    register_plugin_hook('plugin:setting', 'all', 'blti_consumer_plugin_setting');}

    function blti_consumer_plugin_setting($hook, $entity_type, $returnvalue, $params) {

    global $CONFIG;



    But never goes to blti_consumer_plugin_setting, I don't know when is call "register_plugin_hook('plugin:setting', 'all', 'blti_consumer_plugin_setting');". I think I need a trigger

    isn't it??



  • Justin Richer 1083 days ago

    @Antoni: That code is only triggered if you're saving your plugin deatils through the plugin settings admin interface:


    I usually put up a simple form that lets people register the key and secret from that page. The callback hook lets you save the plugin settings into an OAuth entity, which is easier to integrate with the rest of the OAuth system.

  • jcrestin 1079 days ago

    Big problem.

    It seems many host delete Authorization headers on mutualised server... WTF!

    So we can't use it. The solution would be to change the Authorization name to X-Authorization1 for example.

  • Justin Richer 1079 days ago

    @jcrestin: You don't have to use the auth headers, you can use query or form parameters instead. OAuth supports all three methods equally, and the latter two should survive a multi-homed host just fine.

  • jcrestin 1079 days ago

    hmmm I forgot it ^^ my client library is based on the header, I'll change it :D thanks 

  • $łŁ 1028 days ago


    I enabled the plugin, but Seesmic desktop says: "Incorrect URL or problem using OAuth"

    can someone help me?

    Its a Server problem?

  • Justin Richer 1027 days ago

    @szili: I haven't ever used the Seesmic desktop program to connect to Elgg, but I would imagine this is a configuration problem. Are you sure you're using the right URLs and other parameters?

  • $łŁ 1025 days ago

    @Justin Richer: Thanks for your reply,

    The URL is good
    Seesmic Application parameters mean?
    Are automatically be set by Seesmic plugin...

    So why write then OAuth error?


  • Hugh Barnard 1003 days ago

    Hi Justin

    Got the plugin installed (after dealing with twitterservice goetcha) and thank you for it. I'm planning to use it outbound to consume a remote service. I've found the Registered Consumer Applications and think I understand how to register an outboud service (is the URL a token request URL, for example?) and the rest looks OK.

    However (this sounds stupid I know) what do I do, to let another plugin use Oauth to get some stuff from a remote service? I've got a crude Elgg plugin that connects with this: http://sourceforge.net/projects/cclite/ that just depends on hashed shared secret and I want to 'upgrade' to Oauth, if possible without recoding a lot of 'infrastructure'.

    Thanks in advance for any help, best regards Hugh Barnard


  • Hugh Barnard 1003 days ago

    Sorry, answered my own question, I think: http://docs.elgg.org/wiki/OAuth#Using_your_Consumer

  • Hugh Barnard 1000 days ago

    Hi Justin

    Making some progress, got some of the code from the wiki into my plugin and set some dummy parameters into the oauth plugin itself...now I've got my plugin, oauth etc. enabled and I've logged in as a 'user'. I go to http://<mydomain>/pg/oauth/authorize and get: Your account has not been set up to access any external applications under Outbound.

    I need [I guess] some extra forms and/or logic  in my plugin to get the two tokens for the user [using the 'base' parameters in the oauth plugin?] but I'm still not sure how this slots in...

    Thanks, in advance Hugh


  • eugene 978 days ago

    Hi Justin,

    I'm developer who is trying to access my API on Elgg 1.8 using OAuth. I unexpectadly found that there is no Register New Consummer link. But actually there is an OAuth Plugin anabled on the plugin page.

    Does OAuth plugin works fine on 1.8, and if so where can I register new Consummer.

    Thank you,


  • Justin Richer 978 days ago

    @Eugene: I haven't adapted the OAuth plugin for 1.8 yet (we're still running 1.7 here), but it shouldn't completely break. In 1.7, the consumer management page is in administration section of the site (/pg/admin/) and the link should show up in the menu as "Registered Consumer Applications". From there you can add new inbound consumer applications.

  • eugene 978 days ago


    Was able to find "Registered Consumer Applications" on 1.7 (triyed that version) but there is no such link on 1.8

    I'm going to investigate, if I can workaround that, but are there any plans about adopting oAuth to 1.8 ?

    thanks for response, it was helpfull.