OAuth has been proliferating in web services recently for access to user data for 3rd party services. In the Restlet 2.2 API, OAuth 2.0 draft version 31 is available. My evaluation code of the server is available on GitHub.
Restlet 2.2: OAuth Server Example Refers to Missing Classes?
In the current Restlet 2.2 M3 distribution, the OAuth example refers to classes that are only availabl in the f4cb976e1ac3301682a215c20d931d4c89d1b1f8 revision of the trunk. In order for the OAuth server example to work, the OAuth extension jar needs to be built from source.
Restlet 2.2: Example Server is Flawed
On line 113 of the AuthorizationServerResource class, the code checks for whether is an authenticated session exists. The problem is an authenticated session is created on line 137 before a user has been authenticated.
Lessons Learned
If we can assume that the security flaw has been fixed, then the example code can be a good start for implementing other ways of authenticating external services. Looking at the API, I believe that most of the underlying OAuth code should be implemented at the Restlet API level. It seems like this is the case due to the code setup, but let’s wait til the Restlet OAuth API has been finished. Until that time, I think I will evaluate SpringSource OAuth provider implementation as it seems to have better support.
Bret K. Ikehara 