Hi guys, Cassie and David asked me to summarize where we're at with OAuth support in the RESTful server. I volunteered to help out, but have to admit that I don't have the full picture yet.
Here is what I know how to do: I can write a ServletFilter that can verify incoming signedFetch requests against a list of known public keys (known to the RESTful server, that is), and then assert the originator of that request (the string passed in oauth_consumer_key) to the filters and servlets downstream. For anything else (like "real" incoming OAuth requests) the RESTful server would have to have some sort of notion of user accounts, which AFAIK is not the case. I'm saying that because normally, when an OAuth request comes in, you verify the request, and then you map the supplied OAuth token to an account on your server. So I'm not quite sure what it means to "support OAuth" for the RESTful server (minus the signedFetch part, as explained above), but I'm willing to help implement it if someone can explain it to me. :-) Any takers? Dirk.
