[oauth] 2-legged OAuth spec
Where's the latest specification of two-legged OAuth? The last one I saw was http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html But I wonder if there's a newer one. At IETF, perhaps? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: 400/401 Questions
You might find it helpful to add some diagnostic information to the response; for example http://oauth.pbworks.com/ProblemReporting -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Signature Invalid and Token Rejected Errors-Yahoo Oauth Social API using Javascript, Getting contacts from Yahoo using Social API by OAUTH
Hi Vinod, Much Appreciated if you pls provide us with the sample Java code to get the Yahoo Contacts using Yahoo Contacts API. Thanks Anil On Feb 13, 10:51 pm, Vinod facebook vinod.faceb...@gmail.com wrote: Hi, I dunno how oauth in javascript works. I implemented oauth in Java and I faced the same signature invalid issue. I broke my head for about 2 weeks before I found a solution. Anyways this was the problem. I was running my app on a box which was sitting behind an apache webserver machine. So when I send out requests for any end point, the opensocial container used to sign the requests with my public IP address and while verifying the response from my end, the IP with which I would be signing was my local server's which was sitting behind my apache. Hence there was a mismatch and it used to fire the signature invalid exception everytime. After finding this out, I fixed the issue by replacing the IP in my oauth message with that of my public IP before I do a validation. Now it works like a charm. Hope this helps :) On Fri, Feb 12, 2010 at 1:32 PM, Test test@gmail.com wrote: After referring so many threads from Google and Yahoo, I was not able to get an accurate/correct/exact answer/solution/fix for the signature_invalid problem which i am also facing. In those threads most of the samples for OAuth application were in JAVA,C# and Perl languages.But I wanted it working in Javascript. Though I found the sample code from http://oauth.googlecode.com/svn/code/javascript/- still it was not that much clear to get the contacts of a user from Yahoo Social API. I followed the exact steps of OAuth too. After struggling for one week I am posting this thread out of frustration.I just needed a full fledged working sample or example of Getting contacts from Yahoo using OAuth in JS.Wherever I searched the Signature and Token Issues for Yahoo OAUTH, I was not able to get a complete answer. Even I tried the simple CURL command to GET/POST a request for Yahoo Social API. There too I was getting the same error, When I tried with https://social.yahooapis.com/v1/user/+guid+/ contacts; I am getting Connection timed Out or Connection to the host lost. I am not sure why Yahoo Social API is not returning the exact error response as I got signature_invalid and token_rejected errors for mere API calls. Is there any solutions or suggestions atleast for gettting it work?? Any help would be greatly appreciated. Thanks Test SCF -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Updating my Twitter status programmatically.
I've finally mastered OAuth! I think that someone not integrally tied to the OAuth project should write a tutorial about it - someone unencumbered by the history of the project that can focus on just what you need to know. The biggest problem for me was reading the spec which just didn't present the information in the way that my brain learns. Right now, I think that implementing OAuth rather than basic authentication is a daunting choice. With one, your efforts are trivial while the other can mean days of struggles. Get something wrong, and nothing works with hardly anything to go on. It takes lots of patience to find the problems. While I started with some libraries I found out there, I ended up doing my own consumer-side (client-side) implementation simply because I needed a framework for understanding what was happening going back and forth. If I have time, I might release my implementation. It is mostly written in JavaScript and handles the complete dance, starting with the consumer key, through to the request token, verifier code, and finally winds up with the access token given out by twitter. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Google oAuth Access Token Longevity
I'm building an oAuth app that integrates with Contacts, and Gmail and everything is working correctly, except that the oAuth access tokens that I'm generating seem to only last 1 day. I was under the impression that oAuth access tokens should last indefinitely as long as they are not revoked by the user or my application. Can someone shed some light on this? Thanks! Gary webnexsys.com -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Using OAuth as SSO
We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Google oAuth Access Token Longevity
Token duration is a policy decision. Each site decides on what they will grant. For example at LinkedIn we give the user the option of one day, one week, one year, or until revoked. To help partners we are planning on adding some of the OAuth Sessionhttp://oauth.googlecode.com/svn/spec/ext/session/1.0/drafts/1/spec.html parameters to our responses, specifically oauth_expires_in Obviously apps need to be able to handle expired tokens, since the user can revoke them at any time. On Thu, Mar 25, 2010 at 5:20 PM, Gary Young gary.b.yo...@gmail.com wrote: I'm building an oAuth app that integrates with Contacts, and Gmail and everything is working correctly, except that the oAuth access tokens that I'm generating seem to only last 1 day. I was under the impression that oAuth access tokens should last indefinitely as long as they are not revoked by the user or my application. Can someone shed some light on this? Thanks! Gary webnexsys.com -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.comwrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.comwrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.comoauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.comoauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com oauth%2bunsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
Agreed. There's a bunch of interesting things that could be done to bring OpenID and OAuth closer together. On Fri, Mar 26, 2010 at 7:15 PM, Ashish Jain iti...@gmail.com wrote: This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.com wrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable [X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Using OAuth as SSO
I do agree with that. But it is important to recognize where each came from, and what problems each respectively sought to address. Narrowing the divide between the two and making it easier to use both together is something I'm absolutely in favor of. Sent from my iPhone 2G On Mar 26, 2010, at 9:19 PM, David Recordon record...@gmail.com wrote: Agreed. There's a bunch of interesting things that could be done to bring OpenID and OAuth closer together. On Fri, Mar 26, 2010 at 7:15 PM, Ashish Jain iti...@gmail.com wrote: This is worth exploring further at the next OpenID Summit (assuming there is interest). RPs that we talk to have overlapping use cases and it's not fair to their developers to have completely independent SDKs (different signing mechanism, on boarding process etc). -Ashish --- Ashish Jain Sr. Product Manager, PayPal Identity Services email: ashish.j...@paypal.com cell: 303-548-4325 skype: itickr --- On Fri, Mar 26, 2010 at 7:16 PM, Robert Winch rwi...@gmail.com wrote: If you haven't seen this post, it may be of interest http://hueniverse.com/2009/04/introducing-sign-in-with-twitter-oauth-style-connect/ On Fri, Mar 26, 2010 at 5:20 PM, Paul Lindner lind...@inuus.com wrote: If a site has an api that returns a stable user identifier then OAuth can work fine as an SSO. I wouldn't go so far as to call it bastardized.. The big difference between OpenID and OAuth is the idiom used. OpenID is designed to not require prior registration for use -- multiple relying parties and providers can interoperate using URLs and attribute exchange. With OAuth you need a consumer key/secret for your site, and the APIs for attribute exchange change from provider to provider. On Fri, Mar 26, 2010 at 1:39 PM, Chris Messina chris.mess...@gmail.com wrote: OAuth can be used as a bastardized mechanism to do SSO, but it's not really recommended. OAuth only provides you with tokens, which could later be revoked, effectively destroying the identity that you're relying on. OpenID is the preferred way to achieve SSO because it provides you with a stable, reusable identifier. Twitter uses OAuth for SSO, but it's really kind of a mis-use of the technology, although in practice it kind of solves the problem. Essentially OpenID provides you with identity; OAuth provides you authorization to do things on behalf of a user. Since you're doing something on behalf of a user, you get a kind of temporary identity to do stuff but it's much more fragile than OpenID. Why don't you want to do OpenID? Chris On Fri, Mar 26, 2010 at 10:21 AM, Adam apcau...@gmail.com wrote: We currently use CAS for SSO. I'd like to have SSO into gmail, but do not want to switch to OpenID. Is it possible to use OAuth to login users into their gmail accounts? Or is OAuth only meant to retrieve user data? I am currently using SignPost to connect to OAuth... if it matters. Thanks. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- Chris Messina Open Web Advocate, Google Personal: http://factoryjoe.com Follow me on Buzz: http://buzz.google.com/chrismessina ...or Twitter: http://twitter.com/chrismessina This email is: [ ] shareable[X] ask first [ ] private -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google
