StatusNet 0.9.6 release candidate: OAuth API changes

Mirrored from my entry on StatusNet company blog

StatusNet 0.9.6 release candidate 1 is ready to download: http://statusnetdev.net/rc/statusnet-0.9.6rc1.tar.gz

We’ll be pushing this up to status.net hosted sites and identi.ca, and releasing the general 0.9.6 download, later this week.

OAuth authentication for the Twitter-compatible API has been updated significantly, which may require some client apps to change their behavior for new users to sign in:

  1. updated to 1.0a – we require you to use the verifier, and 1.0 wont work
  2. new “oob” pin-based workflow for apps with limited web capability
  3. tokens exchange and authorization happen over SSL by default,
  4. new mode=desktop parameter for apps displaying a stripped down, “lite” version authorization page in a webview
  5. an anonymous consumer for apps that don’t want to register for a custom consumer key and secret (good for apps that need to work with multiple StatusNet instances

When a user declines to authorize a request token, we notify the client by calling the verified callback with the oauth_problem=user_refused parameter

Please test your client apps to confirm they still function; even if existing access tokens work, be sure to try signing up a new user too! If you have troubles, ping Zach Copley who’s become our resident OAuth wizard, either directly via StatusNet or in our IRC channel on FreeNode.

Other notable changes this version:

  • Site moderators can now delete groups.
  • New themes: clean, shiny, mnml, victorian
  • New YammerImport plugin allows site admins to import non-private profiles and message from an authenticated Yammer site.
  • New experimental plugins: AnonFavorites, SlicedFavorites, GroupFavorited, ForceGroup, ShareNotice
  • OAuth upgraded to 1.0a
  • Localization updates now include plugins, thanks to translatewiki.net!
  • SSL link generation should be more consistent; alternate SSL URLs can be set in the admin UI for more parts of the system.
  • Experimental backupuser.php, restoreuser.php command-line scripts to dump/restore a user’s complete activity stream. Can be used to transfer accounts manually between sites, or to save a backup before deleting.
  • Unicode fixes for OStatus notices
  • Header metadata on notice pages to aid in manual reposting on Facebook
  • Lots of little fixes…

A complete list of changes since 0.9.5 is included in the ‘Changelog’ file in the RC download.

— brion