walkah: oauth

Lately I have found myself doing a lot of development against external APIs, several of which require those services to be able to access my dev site directly. Traditionally, I've set up my dev sites on a public server (usually my personal VPS), mirrored the site locally, and used rsync to push incremental changes from my local machine to the server.

This is a pain for two reasons:

1. It means I have an extra step (to rsync) after each change. Yes, it's the same command over and over, but it gets repetitive. Also, if I forget, I spend a few minutes trying to figure out why the change I just made doesn't appear.
2. I'm also left with old dev sites (that I generally forget about) out on the public web - generally not getting proper attention for security updates, etc. This leaves my VPS open to attack.

I also spend a lot of time tweaking my local environment to be just-how-I-like-it(tm).

Recently, I had an idea that, in hindsight, seems obvious. However, in talking with a few people, it seemed just novel enough to warrant the high bar of intellect that is a blog post. So here is the magic:

What you need:

• A wildcard DNS entry (i.e. *.home.example.com). I'm lucky that my home ISP allows me to have a static IP address, but a DynDNS or similar account would also work.
• A linux/mac computer attached to your home/office network that is not currently running a web server (i.e. port 80 is unused) - preferably connected via ethernet. I happen to have an old mac mini that serves as my "media server" at home that I'm using.
• Ports 22 and 80 forwarded from your router to the aforementioned computer. (This is left as an exercise to the reader).

The "magic":

Given the above, the rest is really quite simple (and perhaps obvious to some). A simple ssh port forward does the trick. Here's the command I use:

ssh root@home.example.com -R 80:localhost:80

For the unfamiliar, that says ssh into home.example.com as root and send all the traffic coming to port 80 at home to port 80 on my localhost.

Voila! Now all requests to home.example.com will come to my local server and I can setup vhosts, etc accordingly. Also, if I just end my ssh connection, I no longer have to worry about the big, scary Internet accessing my dev sites.

TODO

I'm not 100% happy about allowing root ssh into my home network, so I may spend a rainy Sunday afternoon and setup an HTTP proxy at home that forwards to something like 8080 on localhost (and perhaps gives a nice "we're not home" message if I'm not ssh'ed in). That way, I wouldn't need to ssh in as root (which is necessary to bind the "low number" port).

If you do much tinkering with remote services (particularly OAuth-based services or webhooks, etc.), I hope this makes life just a little bit easier for you.

This past weekend, I had the privilege of being one of the chosen attendees for Social Web FooCamp. Needless to say, I was flattered and had an amazing time (thanks again, @daveman692 and @davemorin ) . One thing, however, became very apparent: the conversation, currently, is being dominated by the 'big players' (Google, Yahoo, Facebook and Myspace predominantly). In several discussions I found myself increasingly dropping the phrase:

... on the rest of the web

the big guys

First off, this is not a critique of the Google's and Facebook's of the internet. They are incredibly valuable to the growth of the openweb. The fact that Google, Yahoo and Myspace all three have various OpenID and OAuth initiatives in the wild and are actively pursuing additional ways to open their data is awesome (and Facebook wants to get there). It helps raise awareness and bring (slash confirm) "legitimacy".

The big guys also have resources. They can attend the conferences (and camps!) and have dedicated resources to write the standards, participate in the discussions and help shape the future.

However, they are only part of the discussion.

perspective

The issues the major providers face are different from the rest. They have a few sites with large numbers of users (hundreds of millions). Out here on the rest of the web, we have millions of websites, each with a "small" number of users (hundreds or thousands). We all understand the necessity for open data, identity, standards and protocols, but our reasoning tends to be slightly different.

The big guys recognize the benefit of exposing their data and most are providing OpenID and various levels of OAuth. How many are consuming it?

Sure, the big players want to be the primary authority for your identity and your information. In some cases, it is their business. But, rather than ranting against 'the man', I ask: have we - the rest of the web - given them a compelling reason to yet?

open source platforms for the open web

It's one thing for a major site (with hundreds of millions of users) to act like a silo, but on the rest of the web it amounts to isolation.

Those of us working on open source web platforms have an enormous potential for influence here. Implementing the various open standards "from scratch", while possible, is not realistic or even necessary. Increasingly, individuals have Wordpress blogs or perhaps their company, organization or club has a Drupal site. Web developers are increasingly turning to these platforms, or development frameworks such as Rails and Django. These platforms all have a real opportunity to bake in implementations of these open standards. The DiSo project offers a central place for co-ordination around these efforts.

We have data - gobs of it. We also, collectively, have the users and, in most cases, have more authoritative information about them (we know ourselves, our employees and our members).

We - the rest of the web - need to join the conversation: attend the events, participate in the mailing lists, and build the code to power the open, social web.

I had an interesting e-mail exchange yesterday with Chris Messina and a handful of folks from the DiSo project about "DiSo for Drupal". For those of you who haven't heard of it DiSo is:

DiSo (dee • zoh) is an umbrella project for a group of open source implementations of these distributed social networking concepts. or as Chris puts it: “to build a social network with its skin inside out”.

See, Chris recently started a new job working on DiSo full-time at Vidoop. With the announcements of Facebook connect and Google's Friend Connect, there is a battle raging for control of your identity and your relationships. DiSo, in many respects, is the free open answer for the rest of the internet. It combines several free, open standards that already exist in the wild like OpenID, OAuth, and Microformats for exchanging identity and "friend" information.

So, Chris reached out a handful of us Drupal folks about getting on board. The good news is: we, the Drupal community, are already well on our way:

• OpenID (in Drupal 6.x core)
• OpenID Provider : http://drupal.org/project/openid_provider
• OpenID Attribute Exchange : http://drupal.org/project/openid_ax (in progress via Google SoC)
• OAuth : http://drupal.org/project/oauth
• Atom : syndication only - http://drupal.org/project/atom - might be nice to have a basic envelop generator/parser implementation
• XMPP : http://drupal.org/project/jabber , http://drupal.org/project/xmpp and http://drupal.org/project/xmpp_server (the latest of which is maybe the most promising)
• vCard / hCard : http://drupal.org/project/vcard

The big holes at the moment (from a DiSo perspective) are XRDS-Simple support and better support for microformats - specifically XFN.

From the list of Drupal modules above, you may notice that this is an area of interest of mine :-P I look forward to working with the rest of the DiSo project and the Drupal community on this stuff!