hoauth-0.2.1: A Haskell implementation of OAuth 1.0a protocol.




A Haskell library that implements oauth authentication protocol as defined in http://tools.ietf.org/html/draft-hammer-oauth-10.

According to the RFC [1]: OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections.

The following code should perform a request using 3 legged oauth, provided the parameters are defined correctly:

  reqUrl   = fromJust . parseURL $ "https://service.provider/request_token"
  accUrl   = fromJust . parseURL $ "https://service.provider/access_token"
  srvUrl   = fromJust . parseURL $ "http://service/path/to/resource/"
  authUrl  = ("http://service.provider/authorize?oauth_token="++) . findWithDefault ("oauth_token","") . oauthParams
  app      = Application "consumerKey" "consumerSec" OOB
  response = runOAuth $ do ignite app
                           oauthRequest PLAINTEXT Nothing reqUrl
                           cliAskAuthorization authUrl
                           oauthRequest PLAINTEXT Nothing accUrl
                           serviceRequest HMACSHA1 (Just "realm") srvUrl



data Token Source

The OAuth Token.


data Application Source

Identifies the application.

data OAuthCallback Source

Callback used in oauth authorization


URL String 

data SigMethod Source

Available signature methods.



The PLAINTEXT consumer_key token_secret method does not provide any security protection and SHOULD only be used over a secure channel such as HTTPS. It does not use the Signature Base String.


The HMAC_SHA1 consumer_key token_secret signature method uses the HMAC-SHA1 signature algorithm as defined in http://tools.ietf.org/html/rfc2104 where the Signature Base String is the text and the key is the concatenated values (each first encoded per Parameter Encoding) of the Consumer Secret and Token Secret, separated by an & character (ASCII code 38) even if empty.


type Realm = StringSource

The optional authentication realm. Refer to http://oauth.net/core/1.0/#auth_header_authorization for more information.

type Nonce = StringSource

Random string that is unique amongst requests. Refer to http://oauth.net/core/1.0/#nonce for more information.

type Timestamp = StringSource

Unix timestamp (seconds since epoch). Refer to http://oauth.net/core/1.0/#nonce for more information.

type OAuthMonad m a = StateT Token m aSource

The OAuth monad.

OAuthMonad related functions

runOAuth :: (MonadIO m, HttpClient m) => OAuthMonad m a -> m aSource

Execute the oauth monad and returns the value it produced.

oauthRequest :: (MonadIO m, HttpClient m) => SigMethod -> Maybe Realm -> Request -> OAuthMonad m (Either String Token)Source

Executes an oauth request which is intended to upgrade/refresh the current token. Use this combinator to get either a request token or an access token.

serviceRequest :: (MonadIO m, HttpClient m) => SigMethod -> Maybe Realm -> Request -> OAuthMonad m ResponseSource

Performs a signed request with the available token.

cliAskAuthorization :: MonadIO m => (Token -> String) -> OAuthMonad m ()Source

Probably this is just useful for testing. It asks the user (stdout/stdin) to authorize the application and provide the oauth_verifier.

ignite :: MonadIO m => Application -> OAuthMonad m ()Source

Transforms an application into a token.

getToken :: Monad m => OAuthMonad m TokenSource

Extracts the token from the OAuthMonad.

putToken :: Monad m => Token -> OAuthMonad m ()Source

Alias to the put function.

Token related functions

twoLegged :: Token -> BoolSource

Returns true if the token is able to perform 2-legged oauth requests.

threeLegged :: Token -> BoolSource

Tests whether or not the current token is able to perform 3-legged requests.

signature :: SigMethod -> Token -> Request -> StringSource

Signs a request using a given signature method. This expects the request to be a valid request already (for instance, none and timestamp are not set).

injectOAuthVerifier :: String -> Token -> TokenSource

Injects the oauth_verifier into the token. Usually this means the user has authorized the app to access his data.

fromApplication :: Application -> TokenSource

Transforms an application into a token

fromResponse :: Response -> Token -> Either String TokenSource

Receives a response possibly from a service provider and updates the token. As a matter effect, assumes the content-type is application/x-www-form-urlencoded (because some service providers send it as text/plain) and if the status is [200..300) updates the token accordingly.

authorization :: SigMethod -> Maybe Realm -> Nonce -> Timestamp -> Token -> Request -> StringSource

Computes the authorization header and updates the request.