Library for OAuth Provider (Java)

I'm looking for a Java library that helps me building an OAuth Provider. I must be able to receive OAuth signed requests and determine whether they are valid or not (checking the signature, timestamp and nonce values).

Do you know if there's something out there that makes this task easier?

Scribe is an OAuth library for Java, written by the asker himself. ;-)

Note: I post this here as an answer so that other googlers have a choice of alternatives. For another library-based alternative, see my other answer "Jersey OAuth signature library".

Some code to illustrate usage:

OAuthService service = new ServiceBuilder()
                                  .provider(TwitterApi.class)
                                  .apiKey("your_api_key")
                                  .apiSecret("your_api_secret")
                                  .build();
...
Token requestToken = service.getRequestToken();
String your_token = requestToken.getToken();
...
Verifier verifier = new Verifier("your_previously_retrieved_verifier");
 Token accessToken = service.getAccessToken(requestToken, verifier);

Creating the request:

OAuthRequest request = OAuthRequest(Verb.GET, "http://api.twitter.com/1/direct_messages.json");
service.signRequest(accessToken, request);
Response response = request.send();

One library mentioned on <http://oauth.net/code> looks interesting (I'm excluding the OAuth for Spring Security and OAuth Signpost which are not what you're looking for):

> A Java library and examples were > contributed by John Kristian, Praveen > Alavilli and Dirk Balfanz. > > OAuth for Spring Security is also > available, contributed by Ryan Heaton. > This project is not hosted in the > OAuth repository. > > OAuth Signpost offers simple OAuth > message signing for Java and Apache > HttpComponents (Google Android > ready!). Contributed by Matthias > Kaeppler.

I've checked the Java library a bit further and I think that its providing everything required for client-side and server-side code. The following blog post has actually a full example and I'm pasting the server code below (a JSP):

<%@ page import="net.oauth.server.*"%>
<%@ page import="net.oauth.*"%>

<%
//Presumably this should actually be looked up for a given key.
String consumerSecret="uynAeXiWTisflWX99KU1D2q5";

//Presumably the key is sent by the client. This is part of the URL, after all.
String consumerKey="orkut.com:623061448914";

//Construct the message object. Use null for the URL and let the code construct it.
OAuthMessage message=OAuthServlet.getMessage(request,null);

//Construct an accessor and a consumer
OAuthConsumer consumer=new OAuthConsumer(null, consumerKey, consumerSecret, null);
OAuthAccessor accessor=new OAuthAccessor(consumer);

//Now validate. Weirdly, validator has a void return type. It throws exceptions
//if there are problems.
SimpleOAuthValidator validator=new SimpleOAuthValidator();
validator.validateMessage(message,accessor);

//Now what? Generate some JSON here for example.
System.out.println("It must have worked"); %> 

This looks close to what you want.

You can use the Jersey OAuth Signature Library.

Simple OAuth authentication for a servlet or filter may be set up using a Container Filter, which filters the request before the request is matched and dispatched to a root resource class. The Container Filter is registered using initialization parameters which point to a user defined class, such as the following:

public class OAuthAuthenticationFilter implements ContainerRequestFilter {
    @Override
    public ContainerRequest filter(ContainerRequest containerRequest) {
        // Read the OAuth parameters from the request
        OAuthServerRequest request = new OAuthServerRequest(containerRequest);
        OAuthParameters params = new OAuthParameters();
        params.readRequest(request);
       
        // Set the secret(s), against which we will verify the request
        OAuthSecrets secrets = new OAuthSecrets();
        // ... secret setting code ...
       
        // Check that the timestamp has not expired
        String timestampStr = params.getTimestamp();
        // ... timestamp checking code ...
       
        // Verify the signature
        try {
            if(!OAuthSignature.verify(request, params, secrets)) {
                throw new WebApplicationException(401);
            }
        } catch (OAuthSignatureException e) {
            throw new WebApplicationException(e, 401);
        }
       
        // Return the request
        return containerRequest;
    }
}

There is an OAuth plugin for Spring Security

Looks like there's a Subversion repo for a library at http://oauth.googlecode.com/svn/code/java/. Looks like you'll have to checkout and run maven to get executables though.

If you go into example/webapp/src/main/java they have some examples of consuming from Twitter, Yahoo, & others.

Jersey (the reference implementation of JAX-RS) supports OAuth through a Jersey extension called OpenSSO Auth Filter. However this requires an additional OpenSSO server instance. See this document for more information.

Note that OpenSSO has been discontinued by Oracle and is now under ForgeRock as OpenAM.