oauthenticated-0.0.5: Simple OAuth client code built atop http-conduit

Safe HaskellNone



OAuth Parameters

OAuth 1.0 operates by creating a set of "oauth parameters" here called Oa which augment a request with OAuth specific metadata. They may be used to augment the request by one of several ParameterMethods.



data ParameterMethod Source

The OAuth spec suggest that the OAuth parameter be passed via the Authorization header, but allows for other methods of transmission (see section 3.5. Parameter Transmission) so we select the 'Server'\'s preferred method with this type.



Place the Oa parameters in the Authorization HTTP header.


Augment the www-form-urlencoded request body with Oa parameters.


Augment the www-form-urlencoded query string with Oa parameters.

data SignatureMethod Source

OAuth culminates in the creation of the oauth_signature which signs and authenticates the request using the secret components of a particular OAuth Cred.

Several methods exist for generating these signatures, the most popular being HmacSha1.



data Version Source

OAuth has progressed through several versions since its inception. In particular, there are two community editions "OAuth Core 1.0" (2007) and "OAuth Core 1.0a" (2009) along with the IETF Official version RFC 5849 (2010) which is confusingly named OAuth 1.0.

/Servers which only implement the obsoleted community edition "OAuth Core 1.0" are susceptible to a session fixation attack./

If at all possible, choose the RFC 5849 version (the OAuth1 value) as it is the modern standard. Some servers may only be compliant with an earlier OAuth version---this should be tested against each server, in particular the protocols defined in Network.OAuth.ThreeLegged.



OAuth Core 1.0 Community Edition


OAuth Core 1.0 Community Edition, Revision A


RFC 5849


Eq Version 
Data Version 
Ord Version 
Show Version 
Typeable Version 
QueryValueLike Version

All three OAuth 1.0 versions confusingly report the same version number.

data Callback Source

When performing the second leg of the three-leg token request workflow, the user must pass the oauth_verifier code back to the client. In order to ensure that this protocol is secure, OAuth demands that the client associates this "callback method" with the temporary credentials generated for the workflow. This Callback method may be a URL where the parameters are returned to or the string "oob" which indicates that the user is responsible for returning the oauth_verifier to the client OutOfBand.


Callback Request 


Show Callback 
Typeable Callback 
QueryValueLike Callback

Prints out in Epoch time format, a printed integer

newtype Timestamp Source

An Epoch time format timestamp.


Timestamp UTCTime 


Eq Timestamp 
Data Timestamp 
Ord Timestamp 
Show Timestamp 
Typeable Timestamp 
QueryValueLike Timestamp

Prints out in Epoch time format, a printed integer

timestampFromSeconds :: Integer -> TimestampSource

Create a Timestamp deterministically from a POSIX Epoch Time.

data Server Source

The Server information contains details which parameterize how a particular server wants to interpret OAuth requests.

defaultServer :: ServerSource

The default Server parameterization uses OAuth recommended parameters.

type Verifier = ByteStringSource

A Verifier is produced when a user authorizes a set of Temporary Creds. Using the Verifier allows the client to request Permanent Creds.

data Workflow Source

Some special OAuth requests use extra oauth_* parameters. For example, when requesting a temporary credential, it's necessary that a oauth_callback parameter be specified. WorkflowParams allows these extra parameters to be specified.



No special OAuth parameters needed

TemporaryTokenRequest Callback 
PermanentTokenRequest ByteString

Includes the oauth_verifier

data OaPin Source

The OaPin is a set of impure OAuth parameters which are generated for each request in order to ensure uniqueness and temporality.



emptyPin :: OaPinSource

An "empty" pin useful for testing. This OaPin is referentially transparent and thus has none of the necessary security features---it should never be used in an actual transaction!

freshPin :: CPRG gen => gen -> IO (OaPin, gen)Source

Creates a new, unique, unpredictable OaPin. This should be used quickly as dependent on the OAuth server settings it may expire.

emptyOa :: Cred ty -> Oa tySource

Uses emptyPin to create an empty set of params Oa.

freshOa :: CPRG gen => Cred ty -> gen -> IO (Oa ty, gen)Source

Uses freshPin to create a fresh, default set of params Oa.

data Oa ty Source

The Oa parameters include all the OAuth information specific to a single request. They are not sufficient information by themselves to generate the entire OAuth request but instead must be augmented with Server information.




credentials :: Cred ty
workflow :: Workflow
pin :: OaPin