[annotator-dev] Annotator store flask

johnny jiang johnny.nan.jiang at gmail.com
Sat Apr 28 05:39:17 UTC 2012

Hi Nick & Randall,

I've been playing with Annotator authentication and store. I've set up
Annotator auth plugin, and also turned on authentication on my local store.
I got the following error when posting annotations to the store, I was
wondering is this something needs to be modified or updated either on the
auth plugin side or the store side?

Auth Plugin

Annotator Store

XMLHttpRequest cannot load http://www.cxware.net:5000/annotations. Request
header field x-annotator-auth-token-issue-time is not allowed by

Thanks and regards,

On Thu, Apr 19, 2012 at 9:52 AM, Randall Leeds <tilgovi at hypothes.is> wrote:

> On Wed, Apr 18, 2012 at 2:58 PM, johnny jiang
> <johnny.nan.jiang at gmail.com> wrote:
> >
> > I'm trying to integrate the annotator (including annotator store and
> > annotator client) with my own app, and make the annotator work with the
> > authentication and authorization of my app. Before I just registered an
> user
> > with annotateit.org, then got a token and used it's store. But this
> time I'd
> > like to set up my own store, but I have no clue how to make the auth
> > happen. I checked the annotator store python code and the Wordpress
> plugin,
> > but haven't got the whole picture in terms of how auth works. Could you
> > please advise in some detail? Cheers.
> Since I've just gone through this, maybe I can help you.
> The important things are (1) the Authenticator (from annotator-store's
> annotator.auth module) and (2) the token view.
> (1) The only argument to annotator.auth.Authenticator is the
> consumer_fetcher. The format is documented in the annotator.auth
> module.
> You need to ensure that the store is configured with an Authenticator
> whose consumer_fetcher function can retrieve credentials that
> represent your site.
> These can be anything. You can make them up. You can look at
> okfn/annotateit for the structure of its Consumer object. This need
> not hit a database if your store
> is only expected to serve your own site, and not allow application
> developers to consumer your site like you were consuming annotateit.
> The file 'run.py' from annotator-store shows how the app is
> configured: https://github.com/okfn/annotator-store/blob/master/run.py
> The easiest thing to do is hard code a consumer key and secret and
> pass a function like:
> def consumer_fetcher(key):
>    if key != 'my_site_consumer_key':
>        consumer = {
>            key: 'my_site_consumer_key',
>            secret: 'my_site_consumer_secret'
>            ttl: auth.DEFAULT_TTL
>        }
>        return consumer
>    return None
> If you want to serve as a store for other applications other than your
> own, you would provide a way to sign up and create consumer keys, like
> AnnotateIt does for
> each user, and you would make this function check the DB to get the
> secret rather than rejecting anything that isn't your own site as I've
> done here.
> (2) The other side of the equation is the token granting. For an
> example in Python, consult
> https://github.com/okfn/annotateit/blob/master/annotateit/main.py.
> The auth_token() view uses routines provided by annotator-store to
> spit out a token based on the consumer key and secrets for the site.
> These should match the credentials
> you used for the store. In this case, the hard-coded name "annotateit"
> is used to look up the credentials used to generate tokens for
> annotateit. You can also use
> annotator-store's annotator.auth.encode_token directly if your site is
> written in Python, but it should be easy to generate from any
> language.
> If you were not hosting your own store you could use your annotateit
> consumer credentials here (I think).
> -Randall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/annotator-dev/attachments/20120428/28827ed8/attachment-0003.html>

More information about the annotator-dev mailing list