feat: Implement OAuth1 authorization method #2989
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This pull request aims to add OAuth1.0a as supported authorization mode to Bruno.
resolves: #1004
The OAuth1 flow as defined in https://oauth.net/core/1.0a consists of two distinct stages (and more substages):
Step 2, while not exactly trivial, can be accomplished by scripting, but what I think is really important for API client like Bruno, is the ability to assist user in Step 1- actually obtaining the token.
The approach currently used for OAuth2 Authorization Code flow is a great example of how the solution could look like.
Implementation details
When OAuth1 authorization is used for request, the Authorization header is evaluated using oauth-1.0a library and included in the request during execution, based on the following parameters:
In case user does not yet have Access Token, they must provide the following information about API they want to access:
And then also:
Then, during request execution Bruno will make additional requests, and will open the browser window to allow user sign-in with the external provider and ask for permission.
Demo
Screencast.from.2024-09-02.21-41-41.mp4
Todos
This flow should support several variations, including
HMAC_SHA*
- works with real servicesRSA_SHA*
- using external private key - should workPLAINTEXT
- should workAuthorization Header
Form-Encoded Body
Request Query Parameters
Contribution Checklist: