úÎÆm»å¡      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”•–—˜™š›œžŸ (c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableSafe>?QV ˜ ¡¢£€¥Š§š©¥5Š1§8š4©4(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone ]ª(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone12Æentials pair a   and either a  or J token corresponding to a particular set of user resources on the server.=s are public, private key pairs and come in many varieties, , , and . s are private keys which the " uses for cryptographic purposes. Js are public keys which allow a server to uniquely identify a particular . s and ²entials are the primary means of accessing server resources. They must be maintained by the client for each user who authorizes that client to access resources on their behalf. s and ÿ[entials are created during authorization protocols and are rarely meant to be kept for more than a few minutes. Typically they are authorized to access only a very select set of server resources. During "three-legged authorization" in OAuth 1.0 they are used to generate the authorization request URI the client sends and, after that, in the   request.  entials and §s are assigned to a particular client by the server and are used for all requests sent by that client. They form the core component of resource specific credentials.  Parses a www-form-urlencoded stream to produce a a if possible. The first result value is whether or not the token data is OAuth 1.0a compatible.:fromUrlEncoded "oauth_token=key&oauth_token_secret=secret""Just (False, Token "key" "secret")XfromUrlEncoded "oauth_token=key&oauth_token_secret=secret&oauth_callback_confirmed=true"!Just (True, Token "key" "secret") Lens on the key component of a . &Lens on the key secret component of a . A lens on the client  in any .A lens focused on the resource ( when available. The only instances of  are  and . This can be used to upgrade  s to  s.>OAuth assumes that, by default, any credential has a resource S that is by default completely blank. In this way we can talk about the resource  of even  s.7getResourceTokenDef (clientCred $ Token "key" "secret") Token "" "" Produce a m from a set of credentials. This is a URL encoded string built from the client secret and the token secret.8If no token secret exists then the blank string is used.Z\secret -> signingKey (clientCred $ Token "key" secret) == (pctEncode secret <> "&" <> "")(Produces a JSON object using keys named  oauth_token and oauth_token_secret.Parses a JSON object with keys  oauth_token and oauth_token_secret%, the standard format for OAuth 1.0.   «¬­®¯°(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone1oÔ#The #È parameters include all the OAuth information specific to a single request. They are not sufficient information by themselves to generate the entire OAuth request but instead must be augmented with 1 information.(The (y is a set of impure OAuth parameters which are generated for each request in order to ensure uniqueness and temporality.,&Some special OAuth requests use extra oauth_*Z parameters. For example, when requesting a temporary credential, it's necessary that a oauth_callback parameter be specified. WorkflowParams0 allows these extra parameters to be specified.-"No special OAuth parameters needed/ Includes the oauth_verifier0A 0- is produced when a user authorizes a set of   s. Using the 0 allows the client to request  s.1The 1l information contains details which parameterize how a particular server wants to interpret OAuth requests.6An Epoch time format timestamp.8`When performing the second leg of the three-leg token request workflow, the user must pass the oauth_verifierÎ code back to the client. In order to ensure that this protocol is secure, OAuth demands that the client associates this "callback method" with the temporary credentials generated for the workflow. This 8I method may be a URL where the parameters are returned to or the string "oob"A which indicates that the user is responsible for returning the oauth_verifier to the client 9.;OAuth has progressed through several versions since its inception. In particular, there are two community editions "OAuth Core 1.0" (2007)  http://oauth.net/core/1.0 and "OAuth Core 1.0a" (2009)  http://oauth.net/core/1.0a7 along with the IETF Official version RFC 5849 (2010)  "http://tools.ietf.org/html/rfc5849) which is confusingly named "OAuth 1.0".~/Servers which only implement the obsoleted community edition "OAuth Core 1.0" are susceptible to a session fixation attack./5If at all possible, choose the RFC 5849 version (the >Ÿ value) as it is the modern standard. Some servers may only be compliant with an earlier OAuth version---this should be tested against each server, in particular the protocols defined in Network.OAuth.ThreeLegged.<"OAuth Core 1.0 Community Edition http://oauth.net/core/1.0=.OAuth Core 1.0 Community Edition, Revision A http://oauth.net/core/1.0a> RFC 5849 "http://tools.ietf.org/html/rfc5849?(OAuth culminates in the creation of the oauth_signature_ which signs and authenticates the request using the secret components of a particular OAuth .OSeveral methods exist for generating these signatures, the most popular being @.BCThe OAuth spec suggest that the OAuth parameter be passed via the  Authorizationu header, but allows for other methods of transmission (see section "3.5. Parameter Transmission") so we select the  'Server'\'"s preferred method with this type.C Place the # parameters in the  Authorization HTTP header.D Augment the www-form-urlencoded request body with # parameters.E Augment the www-form-urlencoded query string with # parameters.F Create a 6+ deterministically from a POSIX Epoch Time.G The default 14 parameterization uses OAuth recommended parameters.H(An "empty" pin useful for testing. This (a is referentially transparent and thus has none of the necessary security features---it should never" be used in an actual transaction!I%Creates a new, unique, unpredictable (W. This should be used quickly as dependent on the OAuth server settings it may expire.JUses H" to create an empty set of params #.KUses I* to create a fresh, default set of params #.MIAll three OAuth 1.0 versions confusingly report the same version number.N2Prints out in Epoch time format, a printed integerP2Prints out in Epoch time format, a printed integer)#$'&%()+*,/.-0125436789:;>=<?A@BEDCFGHIJK.BCDE?@AL;<=>M89:ON67FP12345G0,-./()*+HIJK#$%&' #$%&'()*+,-./123456789:;<=>?@ABCDE(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone"#N€Lk.Sign a request with a fresh set of parameters.l)Sign a request given generated parametersn#Augments whatever component of the ± is specified by BC with one built from the apropriate OAuth parameters (passed as a ²).Currently this actually replaces the  Authorization6 header if one exists. This may be a bad idea if the realm parameter is pre-set, perhaps. TODO: Parse  Authorization header and augment it.Currently this actually replacesG the entity body if one exists. This is definitely just me being lazy..TODO: Try to parse entity body and augment it.s Queries a ±  body and tries to interpret it as a set of OAuth valid parameters. It makes the assumption that if the body type is a streaming variety or impure then it is not[ a set of OAuth parameters--- dropping this assumption would prevent this from being pure. klmnopqrst klmnopqrst(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone…žu4Sign a request with a fresh set of parameters. Uses MonadRandom IO@, getting new entropy for each signing and thus is potentially  dangerous/ if used too frequently. In almost all cases, k5 should be used instead with a suitably seeded PRNG." 12345;<=>?@ABCDEGHIJKklu"uklJKHI 12345GBCDE?@A;<=>(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNone"#1­C v€Data parameterizing the "Three-legged OAuth" redirection-based authorization protocol. These parameters cover the protocol as described in the community editions OAuth Core 1.0 and OAuth Core 1.0a as well as RFC 5849.xBase Request: for the "endpoint used by the client to obtain a set of  Temporary Credentials" in the form of a  Temporary TokenY. This request is automatically instantiated and performed during the first leg of the v authorization protocol.yBase Requestü for the "endpoint to which the resource owner is redirected to grant authorization". This request must be performed by the user granting token authorization to the client. Transmitting the parameters of this request to the user is out of scope of oauthenticated0, but functions are provided to make it easier.zBase Request_ for the "endpoint used by the client to request a set of token credentials using the set of  Temporary Cred>entials". This request is also instantiated and performed by oauthenticated in order to produce a  Permanent Token.{The CallbackC parameter configures how the user is intended to communicate the Verifier back to the client.|"Convenience method for creating a v* configuration from a trio of URLs and a Callback . Returns ³< if one of the callback URLs could not be parsed correctly.} Request a  Temporary Token based on the parameters of a vE protocol. This returns the raw response which should be encoded as www-form-urlencoded.Throws Žs.~Returns the raw result if the µ! could not be parsed as a valid \. Importantly, in RFC 5849 compliant modes this requires that the token response includes callback_confirmed=true . See also }.Throws Žs. Produce a ¶F which the user should be directed to in order to authorize a set of  Temporary Creds.€Request a 'Permanent Token based on the parameters of a vE protocol. This returns the raw response which should be encoded as www-form-urlencoded.Throws Žs.Returns ³+ if the response could not be decoded as a Token . See also €.Throws Žs.‚Like ƒ& but allows for specification of the ·.ƒvPerforms an interactive token request provided credentials, configuration, and a way to convert a user authorization ¶ into a 0I out of band. Does not use any kind of TLS protection---it will throw a ž exception if TLS is required.Throws Žs.08:9vw{xyz|}~€‚ƒvwxyz{|89:0~}€ƒ‚vwxyz{(c) Joseph Abrahamson 2013MIT me@jspha.com experimental non-portableNoneK¹àŠ‹ wrapped over ¹.‹.Perform authenticated requests using a shared º and a particular set of s.Ž Run's an ‹ using a fresh   .OThe simplest way to execute a set of authenticated requests. Produces invalid  ThreeLegged requests---use  to provide 1 and v configuration information.’Given a  of some kind, run an inner ‹: session with the same configuration but new credentials.“'Sign a request using fresh credentials.—rRun a full Three-legged authorization protocol using the simple interface of this module. This is similar to the ƒ in Network.OAuth.ThreeLegged`, but offers better error handling due in part to the easier management of configuration state.9 0123458:9;<=>?@ABCDEGvw{xyz|…†‡ˆ‰Š‹ŒŽ‘’“”•–—9“Ž‹ŒŠ‘’ 12345GBCDE?@A;<=>vwxyz{|89:0”•–—…†‡ˆ‰…†‡ˆ‰‹Œ»ŒœŸ¿À     !"#$%&'()*+,--./011234567899:;<==>?>@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{{|}~€‚ƒ„…†‡ˆ‰Š‹ŒŽ‘’“”p‚ƒ…‡•–—˜™š›œžŸ ¡¢£€¥Š§ š©ª«¬­®¯°±²ª«³ª«Žµ¶·ª«žª«¹º»Œª«œŸŸ¿ÀÁÂ-oauthenticated-0.2.1.0-18wNTVkl5IC18RJ8UG0FZtNetwork.OAuth.Types.CredentialsNetwork.OAuth.Types.ParamsNetwork.OAuth.Signing Network.OAuthNetwork.OAuth.ThreeLeggedNetwork.OAuth.SimpleNetwork.OAuth.MuLensNetwork.OAuth.UtilR EntropyPoolCred ResourceTokenTokenSecretKey Permanent TemporaryClient upgradeCredfromUrlEncodedkeysecret clientToken resourceTokengetResourceTokenDef clientCred temporaryCred permanentCred signingKey $fToJSONToken$fFromJSONToken$fResourceTokenPermanent$fResourceTokenTemporary $fDataClient$fDataTemporary$fDataPermanent $fShowToken $fEqToken $fOrdToken $fDataToken $fShowCred$fEqCred $fOrdCred $fDataCredOa credentialsworkflowpinOaPin timestampnonceWorkflowStandardTemporaryTokenRequestPermanentTokenRequestVerifierServerparameterMethodsignatureMethod oAuthVersion TimestampCallback OutOfBandVersionOAuthCommunity1OAuthCommunity1aOAuth1SignatureMethodHmacSha1 PlaintextParameterMethodAuthorizationHeaderRequestEntityBody QueryStringtimestampFromSeconds defaultServeremptyPinfreshPinemptyOafreshOa$fQueryValueLikeSignatureMethod$fQueryValueLikeVersion$fQueryValueLikeCallback$fShowCallback$fQueryValueLikeTimestamp$fShowParameterMethod$fEqParameterMethod$fOrdParameterMethod$fDataParameterMethod$fShowSignatureMethod$fEqSignatureMethod$fOrdSignatureMethod$fDataSignatureMethod $fShowVersion $fEqVersion $fOrdVersion $fDataVersion$fShowTimestamp $fEqTimestamp$fOrdTimestamp$fDataTimestamp $fShowServer $fEqServer $fOrdServer $fDataServer$fShowWorkflow $fShowOaPin $fEqOaPin $fOrdOaPin $fDataOaPin$fShowOaoauthsign makeSignatureaugmentRequestcanonicalBaseStringcanonicalParams oauthParams canonicalUri bodyParams queryParams oauthSimple ThreeLeggedtemporaryTokenRequestresourceOwnerAuthorizationpermanentTokenRequestcallbackparseThreeLeggedrequestTemporaryTokenRawrequestTemporaryTokenbuildAuthorizationUrlrequestPermanentTokenRawrequestPermanentTokenrequestTokenProtocol'requestTokenProtocol$fShowThreeLeggedTokenRequestFailureOnTemporaryRequestBadTemporaryTokenOnPermanentRequestBadPermanentTokenOAuthOAuthTunOAuthT runOAuthTrunOAuthrunOAuthSimpleupgrade$fMonadTransOAuthT$fFunctorOAuthT$fApplicativeOAuthT $fMonadOAuthT$fMonadReaderOAuthT$fMonadCatchOAuthT$fMonadThrowOAuthT$fMonadIOOAuthT$fShowTokenRequestFailureviewoverset foldMapOf<&>&^..~%~ pctEncode CredAndToken upgradeCred'(http-client-0.5.9-LOtTcqlWS4621CtsuOKUNFNetwork.HTTP.Client.TypesRequest'http-types-0.9.1-HzyF6muJnmmJbQLAAvdjHQNetwork.HTTP.Types.URIQuerybaseGHC.BaseNothing HttpExceptionResponse*network-uri-2.6.1.0-6462WMDlzua9ycEDCwnYa7 Network.URIURIManagerSettingsTlsNotSupportedghc-prim GHC.TypesIOManagerOaConfigcredserver threeLegged