Andy McKay Assignee
	Description • 12 years ago

This is a bit of pain, so feel free to bump this if it takes too long or is too painful. It is painful, but I've done it before so can do it again.

Basically we want to do the 1.1 OAuth which is a two legged OAuth that signs the requests prior to processing them.

Because I've done this, you can probably just copy this over and hopefully it will just work.

So:

- make a CONSUMER_KEY and CONSUMER_SECRET in settings/base.py and local. Leave base.py values empty. IT will be setting these on -dev and prod etc.

- next parse all the incoming requests for the OAuth token. How? Take a look at:

https://github.com/mozilla/zamboni/blob/master/mkt/api/authentication.py#L48
https://github.com/mozilla/zamboni/blob/master/mkt/api/resources.py#L40

if you can find a better way, go for it.

- finally you'll need to alter all the tests that make requests:

https://github.com/mozilla/zamboni/blob/master/mkt/api/tests/test_oauth.py#L51

This using python-oauth2 which is painful and not maintained.

	Andy McKay Assignee
	Comment 1 • 12 years ago

We are going to have to use jwt to sign bluevia tokens. Could we just use jwt for this? Only real downside is that I'll have to write a nice tool to replace curlish to use jwt so that we can interact easily on the command line. But that shouldn't be hard to fork.

	Wraithan (Chris McDonald) [:wraithan]
	Comment 2 • 12 years ago

I am Wraithan and I approve of this message. (to change to using jwt)

	Kumar McMillan [:kumar]
	Comment 3 • 12 years ago

what does this have to do with paypal? It's about a secure communication channel between Marketplace and Solitude.

	Andy McKay Assignee
	Comment 4 • 12 years ago

The JWT implementation has landed.

https://github.com/mozilla/solitude/commit/f0f29d

Next I've got to turn it on in a few places.

	Andy McKay Assignee
	Comment 5 • 12 years ago

I'll file specific bugs for when we turn this on.