With a little sneakiness, we can make calls to services in Editorial that use OAuth. I'll use Pocket as an example of how OAuth works:

  1. An application obtains a static key to make calls to the Pocket API (so that Pocket can easily invalidate the key and thus prohibit API requests if the application violates their TOS)
  2. The application makes a call to Pocket for a 'request token'. Pocket returns a token. The token is single-use only; once an authentication request has been make with the token, it cannot be used again and another token must be obtained.
  3. The application obtains an authentication url by making an authentication request with the request token. In this request the application also includes a re-direct url.
  4. The application loads the authentication url.
  5. The user grants the application access to their Pocket account.
  6. Pocket re-directs the user to the url specified by the application. The request token is now associated with successful authentication.
  7. The application gets an access token by making a request with the request token.
  8. The access token can now be used to make calls to the user's Pocket account.

The slightly tricky thing about implementing OAuth in a workflow is that it requires persistent state, but that state (the request and access tokens) are dynamically generated. We don't want to have to copy and paste keys all over the place.

The solution: Editorial is a text editor. What if we stored and loaded the keys in a text file? Bingo!

I've made 3 workflows; two for the authentication (Pocket Auth 1 & 2), and one that fetches a random article from the user's unread queue and opens it in the Editorial browser. The Pocket authentication only needs to run once. Here's how the whole thing works:

  1. To authenticate with Pocket, the user runs the Pocket Auth 1 workflow. Pocket Auth 1 gets a request token and an authentication url. It writes the request token to a file. It sets the callback url to the Pocket Auth 2 workflow and loads the auth url in the browser.
  2. Once the user has logged in and authenticated, Pocket Auth 2 is called.
  3. Pocket Auth 2 loads the request token and makes a request for an access token. It writes the access token to a file.
  4. Whenever the 'Random Pocket Article' workflow is executed, it loads the access token and makes the request. A random article from Pocket is loaded in the browser (In Instapaper's mobilizer)

This general OAuth in Editorial algorithm can be used for other services, as well. You can easily modify the 'Random Article from Pocket' workflow to do something else with Pocket.

Get a developer key for Pocket here

Pocket Auth 1

Pocket Auth 2

Random Article from Pocket