[annotator-dev] Annotator store flask

Randall Leeds tilgovi at hypothes.is
Wed Apr 18 23:52:59 UTC 2012

On Wed, Apr 18, 2012 at 2:58 PM, johnny jiang
<johnny.nan.jiang at gmail.com> wrote:
> I'm trying to integrate the annotator (including annotator store and
> annotator client) with my own app, and make the annotator work with the
> authentication and authorization of my app. Before I just registered an user
> with annotateit.org, then got a token and used it's store. But this time I'd
> like to set up my own store, but I have no clue how to make the auth
> happen. I checked the annotator store python code and the Wordpress plugin,
> but haven't got the whole picture in terms of how auth works. Could you
> please advise in some detail? Cheers.

Since I've just gone through this, maybe I can help you.

The important things are (1) the Authenticator (from annotator-store's
annotator.auth module) and (2) the token view.

(1) The only argument to annotator.auth.Authenticator is the
consumer_fetcher. The format is documented in the annotator.auth
You need to ensure that the store is configured with an Authenticator
whose consumer_fetcher function can retrieve credentials that
represent your site.
These can be anything. You can make them up. You can look at
okfn/annotateit for the structure of its Consumer object. This need
not hit a database if your store
is only expected to serve your own site, and not allow application
developers to consumer your site like you were consuming annotateit.

The file 'run.py' from annotator-store shows how the app is
configured: https://github.com/okfn/annotator-store/blob/master/run.py
The easiest thing to do is hard code a consumer key and secret and
pass a function like:
def consumer_fetcher(key):
    if key != 'my_site_consumer_key':
        consumer = {
            key: 'my_site_consumer_key',
            secret: 'my_site_consumer_secret'
            ttl: auth.DEFAULT_TTL
        return consumer
    return None

If you want to serve as a store for other applications other than your
own, you would provide a way to sign up and create consumer keys, like
AnnotateIt does for
each user, and you would make this function check the DB to get the
secret rather than rejecting anything that isn't your own site as I've
done here.

(2) The other side of the equation is the token granting. For an
example in Python, consult

The auth_token() view uses routines provided by annotator-store to
spit out a token based on the consumer key and secrets for the site.
These should match the credentials
you used for the store. In this case, the hard-coded name "annotateit"
is used to look up the credentials used to generate tokens for
annotateit. You can also use
annotator-store's annotator.auth.encode_token directly if your site is
written in Python, but it should be easy to generate from any

If you were not hosting your own store you could use your annotateit
consumer credentials here (I think).


More information about the annotator-dev mailing list