OAuth plugin


In its current state. This plugin has received no security audit. Development has been entirely focused on Making It Work(TM). Use this plugin with caution.

Additionally, this and the API may break... consider it pre-alpha. There’s also a known issue that the OAuth client doesn’t do refresh tokens so this might result in issues for users.

The OAuth plugin enables third party web applications to authenticate as one or more GNU MediaGoblin users in a safe way in order retrieve, create and update content stored on the GNU MediaGoblin instance.

The OAuth plugin is based on the oauth v2.25 draft and is pointing by using the oauthlib.oauth2.draft25.WebApplicationClient from oauthlib to a mediagoblin instance and building the OAuth 2 provider logic around the client.

There are surely some aspects of the OAuth v2.25 draft that haven’t made it into this plugin due to the technique used to develop it.

Set up the OAuth plugin

  1. Add the following to your MediaGoblin .ini file in the [plugins] section:

  2. Run:

    gmg dbupdate

    in order to create and apply migrations to any database tables that the plugin requires.


This only enables the OAuth plugin. To be able to let clients fetch data from the MediaGoblin instance you should also enable the API plugin or some other plugin that supports authenticating with OAuth credentials.

Authenticate against GNU MediaGoblin


As mentioned in capabilities GNU MediaGoblin currently only supports the Authorization Code Grant procedure for obtaining an OAuth access token.

Authorization Code Grant


As mentioned in incapabilities GNU MediaGoblin currently does not support client registration

The authorization code grant works in the following way:


Authorization server
The GNU MediaGoblin instance
Resource server
Also the GNU MediaGoblin instance ;)
The web application intended to use the data
Redirect uri
An URI pointing to a page controlled by the client
Resource owner
The GNU MediaGoblin user who’s resources the client requests access to
User agent
Commonly the GNU MediaGoblin user’s web browser
Authorization code
An intermediate token that is exchanged for an access token
Access token
A secret token that the client uses to authenticate itself agains the resource server as a specific resource owner.

Brief description of the procedure

  1. The client requests an authorization code from the authorization server by redirecting the user agent to the Authorization Endpoint. Which parameters should be included in the redirect are covered later in this document.
  2. The authorization server authenticates the resource owner and redirects the user agent back to the redirect uri (covered later in this document).
  3. The client receives the request from the user agent, attached is the authorization code.
  4. The client requests an access token from the authorization server
  5. ?????
  6. Profit!

Detailed description of the procedure

TBD, in the meantime here is a proof-of-concept GNU MediaGoblin client:


and here are some detailed descriptions from other OAuth 2 providers:

and if you’re unsure about anything, there’s the OAuth v2.25 draft, the OAuth plugin source code and the #mediagoblin IRC channel.