I imagine a service provider might want to revoke a consumer secret.
You might specify how the service provider can signal that it has done
so, to enable the consumer to automatically get a fresh consumer
secret. You might extend http://oauth.pbwiki.com/ProblemReporting for
the purpose.
You
No, OAuth Core doesn't permit the consumer's secret to be used as the
signature, when the signature method is HMAC-SHA1.
A similar example that works is
http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html
. It uses other scripts from
Sorry to hear it doesn't work. What happened when you tried it?
I've seen it work in Internet Explorer 7 on Windows. But it won't
work if you simply load
http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html
, because the browser won't permit sending requests to other servers
(for
I propose to extend the Java oauth-core library to better support
accessing protected resources, as follows. Please let me know if this
is a bad idea, or there's a better way.
In brief, I propose to add a method to OAuthClient:
/** Send a request and return the response. */
public
What service provider are you trying to use? The Google Data APIs?
Check the URL. Google's access token URL is
https://www.google.com/accounts/OAuthGetAccessToken
, according to http://code.google.com/apis/gdata/auth.html#OAuth
In the access token request, the oauth_signature must be
No; each request is signed separately, with a different token secret
and parameters. The same signature method may be used, but the
signatures will be different because they're computed from different
inputs. At least, the nonce and/or timestamp must be different.
On Jan 31, 2:03 am, Razak
See http://oauth.net/core/1.0/#anchor14 :
The Signature Base String is a consistent reproducible concatenation
of the request elements into a single string. The string is used as an
input in hashing or signing algorithms.
Software that implements OAuth usually has algorithms that compute
To minimize dependencies, I recommend removing Java packages that you
don't need. You can eliminate several dependencies this way, such as
the Java Servlet API and both Apache HTTP client libraries.
I'm thinking of moving parts of oauth-core into new modules; for
example a module for consumers
If you want to use standard OAuth libraries, use a full set of
credentials: consumer key and consumer secret, token and token
secret. It's more than you need, but some libraries require it all.
If you need help using a specific library, this is a pretty good place
to ask.
On Apr 14, 10:32 pm,
meaningful to the user.
On Apr 12, 10:57 pm, John Kristian jmkrist...@gmail.com wrote:
The service provider would enable a user to revoke her access tokens,
e.g. in case they're stolen.
--~--~-~--~~~---~--~~
You received this message because you are subscribed
As a rule, a server shouldn't look for OAuth parameters in the body of
a request whose content-type isn't application/x-www-form-urlencoded
(as specified by http://oauth.net/core/1.0/#consumer_req_param). In
the OpenSocial example, the client could send an XML content-type,
such as text/xml or
I agree, the consumer should be informed whether the service provider
is 1.0 or 1.0a, before it redirects the user for authorization. In
addition to the reasons noted above, it enables a consumer to protect
the user from the security hole in 1.0, by refusing to work with a 1.0
service provider.
That sounds like a fine idea, to me. I'd prefer that the server send
the information without being asked.
We might as well follow established practice, if it works well. What
does the Python library do, exactly? Are there popular service
providers that do something similar? What do they do,
I'll do that. Thanks for pointing it out.
On Jun 11, 7:52 am, bowa bruno.w...@gmail.com wrote:
Can someone with svn commit rights to the google code project change
this and put a new build on the maven repo please ?
thanks,
bruno
--~--~-~--~~~---~--~~
You
I corrected this, in version 20090531. I'm sorry I caused you
difficulty.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from
Done, in -r1052 of the Java library
http://oauth.googlecode.com/svn/code/java/core/httpclient4/
Thanks for the suggestion.
On Jun 8, 12:01 pm, Paul Austin paul.d.aus...@gmail.com wrote:
Could a new constuctor be added which just accepted a consumerKey and
consumerSecret and automatically
Source code: http://code.google.com/p/oauth/source/browse/#svn/code/java/core
Maven repository: http://oauth.googlecode.com/svn/code/maven
For example, oauth.jar:
http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth/20090531/oauth-20090531.jar
On Jun 12, 10:11 pm, Mandakini kumari
There are automated tests, mostly in a separate module
net.oauth.core:oauth-test.
I hope to add improvements, but nothing major soon.
I'm not familiar with the Objective-C or PHP implementations.
On Jun 18, 5:28 am, Monis monisiq...@gmail.com wrote:
Hi John,
It's good to see the new
Yes, your request for an access token should be signed with the
request token secret; that is the oauth_token_secret that you received
with your request token. Also, requests for access to APIs should be
signed with the access token secret, that is the oauth_token_secret
that you received with
I recently committed a change to support the 1.0a spec, but it hasn't
been released. I'll release it, if you like:
-r1057 | 2009-06-17 22:31:12 -0700 (Wed, 17 Jun 2009)
Added support for OAuth Core version 1.0a, specifically
new parameter names and a method OAuthClient.getRequestTokenResponse.
I released version 20090617 with support for 1.0a.
On Jul 2, 9:57 am, Manish Pandit pandit.man...@gmail.com wrote:
On Jun 23, 10:14 pm, John Kristian jmkrist...@gmail.com wrote:
I recently committed a change to support the 1.0a spec, but it hasn't
been released. I'll release it, if you
The source code is in
http://oauth.googlecode.com/svn/code/maven/net/oauth/oauth-core/20090315/oauth-core-20090315-sources.jar
or you can get it from svn thus:
svn checkout -r917 http://oauth.googlecode.com/svn/code/java/core
On Jul 8, 3:47 am, Avi syndicatebk...@gmail.com wrote:
2) Is there
After you've authorized, DesktopClient.access expects Mediamatic to
redirect your browser to its embedded server; that is the Jetty server
to which the local variable access.server refers. The URL is
something like http://localhost:5298/oauth/callback. It sounds like
Mediamatic isn't doing
I would pass a verifier, perhaps oauth_verifier=placeholder. I
imagine a careless consumer might behave badly if the verifier is
absent.
On Jul 13, 4:48 pm, Richard Wallace rwall...@thewallacepack.net
wrote:
The OAuth spec section 6.2.3 states that If the User denies access,
the Consumer MAY
Try calling client.access, instead of client.invoke. The invoke
method is intended for requesting OAuth tokens, not accessing
protected resources.
On Jul 9, 3:43 pm, Siahm siahm@gmail.com wrote:
Hello I am trying to upload a file with OAuth and I can´t. I get error
500 or 200, but I am
OAuth would enable slave servers to send HTTP requests directly to
master servers, with assurance that a user authorized each request.
If you need this, OAuth is a reasonable choice; if you don't, it
probably isn't.
On Jul 18, 8:14 am, Douglas dugca...@gmail.com wrote:
Please be gentle ;-) ...
You can generate javadoc like this:
svn checkout http://oauth.googlecode.com/svn/code/java/core
cd core
mvn javadoc:javadoc
You'll find the javadoc in target/site/apidocs/index.html.
There's a beginner's guide http://oauth.net/documentation/getting-started
Yes, tokens may be expired or
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To
The consumer key, consumer secret and nonce should be unguessable. A
popular choice is bits from a cryptographically strong random number
generator, encoded as letters and numerals. The nonce should not be a
predictable function of other data.
Don't add salt to the signature algorithm. That
:17 pm, John Kristian jmkrist...@gmail.com wrote:
Yes, tokens may be expired or revoked. But OAuth Core doesn't
standardize the process.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post
I've read that an iPhone app can't retrieve Key Chain items that were
stored by other apps.
http://www.softwareops.com/blogs/iPhone/iPhoneDevBlog_files/b4452aa19b4b4d6fb2a7c149dbacaa75-33.html
If true, the Key Chain would be a good place to store token secrets.
On Jul 26, 11:25 am, Monis
http://wiki.oauth.net/ProblemReporting is applicable.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send
No. :-)
On Aug 6, 10:55 am, javacat henrik.mar...@rovicorp.com wrote:
Hi folks. I joined the OAuth group and mailing list yesterday. It
seems like this group is a general OAuth discussion forum, but I'm
mainly interested in the Java library implementation. Is there a
specific group or
There's an example service provider at
http://code.google.com/p/oauth/source/browse/#svn/code/java/example/oauth-provider
But it doesn't do what Shunde wants.
I don't find any code at http://code.google.com/p/oauth-java/
On Aug 15, 2:15 am, michael_h mic...@gmail.com wrote:
The Java implementation
http://code.google.com/p/oauth/source/browse/#svn/code/java/core/commons/src/main/java/net/oauth
validates timestamp and nonce before signature. I've just committed
changes to defend against a timing attack. It accepts plaintext
signatures by default, but one can make it
The signature base string should begin:
POSThttp%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds%2Fdefault%2Fprivate
%2Ffullgsessionid
Technically it's incorrect for the authorization header to contain a
gessionid parameter; the standard place to put it would be in the URL
query string. But Google
A user should be responsible for his access token secret. If he
reveals it to an attacker, he should expect the attacker can
impersonate him, just as if he gave his authorized mobile device to
the attacker. An application can help prevent such a mistake, by
making it difficult for the user to
need a way to identify unauthorized applications.
On Aug 20, 6:23 pm, Sunir Shah su...@freshbooks.com wrote:
On 20-Aug-09, at 9:03 PM, John Kristian wrote:
If an application turns out to be malicious, I don't know how you can
unauthorize it without unauthorizing other applications on the same
Rather than assign a different consumer secret to each device, I
suggest each device get a unique access token secret using OAuth; that
is by asking the user to authenticate to each service provider and
authorize the device. (The token secret and consumer secret are
separate elements in OAuth.)
Do OAuth service providers redirect consumers? I mean send HTTP
status code 301, 302, 303 or 307 in response to a request for a token
or access to a protected resource. If the first request wasn't a GET,
should the consumer fail, send a GET or repeat the original method
(e.g. POST)? If a
http://code.google.com/apis/calendar/faq.html#redirect_handling
requires a consumer to repeat the original request (e.g. POST). The
consumer must send either an S cookie or a gsessionid parameter from
the redirect response, in this and subsequent requests in a session.
I'm not sure what a
Here's a simpler way, which works for me.
import net.oauth.OAuth;
import net.oauth.OAuthAccessor;
import net.oauth.OAuthConsumer;
import net.oauth.OAuthProblemException;
import net.oauth.OAuthServiceProvider;
import net.oauth.client.OAuthClient;
import net.oauth.client.httpclient4.HttpClient4;
Perhaps the timestamp is out of range because the server's clock is
wrong.
Check the signature base string, compared to
http://oauth.googlecode.com/svn/code/javascript/example/signature.html
If the base strings are the same but the signatures are different,
b64_hmac_sha1 is wrong.
The oauth_verifier should be sent to the service provider when
requesting an access token, like this:
client.getAccessToken(oAuthAccessor, null,
OAuth.newList(oauth_verifier, params.getString(oauth_verifier));
On Sep 7, 1:52 am, stager0909 stager0...@gmail.com wrote:
I want to get yahoo
Thank you, David! A great idea, and a working implementation too. I
committed a similar change to
http://oauth.googlecode.com/svn/code/javascript/oauth.js
It uses the query string parameter name oauth_timestamp, instead of
servertime. For example, in PHP:
script
You can ask Signpost users via http://groups.google.com/group/signpost-users
On Sep 7, 7:41 am, Smelly Eddie ollit...@gmail.com wrote:
Hello, I am using the signpost twitter example but with Netflix's api.
--~--~-~--~~~---~--~~
You received this message because
No, the signature base string doesn't contain parameters from the body
of a PUT request.
There is an extension to protect request bodies.
http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html
On Sep 15, 8:29 am, Hannes Tydén han...@soundcloud.com wrote:
When I do a POST
You can implement body hashing on top of the Java library, but the
library doesn't implement it.
On Sep 16, 1:06 pm, Monis monisiq...@gmail.com wrote:
Do we have the support for this extension in the oauth java library?
--~--~-~--~~~---~--~~
You received this
OAuthAccessor.accessToken should be initialized to null, not (to
indicate that the consumer has not yet obtained a valid access token).
The example oauth-provider validates requests like this:
SampleOAuthProvider.VALIDATOR.validateMessage(requestMessage,
accessor);
It calls
The latest core .jar is in
http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth/20090825/
HttpRequestMessage and OAuthServlet are in
http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth-provider/20090531/
SampleOAuthProvider is in the .war file in
1. Yes, a consumer may send some parameters in a header and others in
the body.
2. Yes, oauth_verifier is signed; that is, it's included in the
Signature Base String.
It sounds like the Ruby/Rails software needs work.
On Oct 21, 1:31 am, Florent florentvauce...@gmail.com wrote:
1. Can the
SimpleOAuthValidator checks nonces, but not very well. See the
javadoc for details. For a scalable service provider, you need a
database to store nonces that have been used recently.
On Oct 21, 11:51 pm, Anuradha Thota anuradha.th...@gmail.com wrote:
i need to check the nonce value to see if
There's a sample service provider source code in
http://oauth.googlecode.com/svn/code/java/example/oauth-provider/
It has javadoc, but no other documentation. It's a Servlet
application. It uses .jars whose source code is in
http://oauth.googlecode.com/svn/code/java/core/provider/ and
Authorization may depend on the user, as well as the consumer. For
example, suppose the service provider has data for each user, and each
user may access his own data but not other users' data. So, a consumer
acting on behalf of User X may access the data for X but not Y; a
consumer acting on
Would the addition of a new value help the consumer to resolve
problems better? I think any new value should, as a rule. That is,
let's not add values that don't help the consumer resolve problems.
In this case, an alternative is to send
oauth_problem=parameter_rejected and
Could consumer software recognize oauth_problem=parameter_duplicated,
and react by sending another request without duplicate parameters,
without bothering the user? That would be good for the user, and thus
a good reason to add parameter_duplicated to the repertoire. But I
wonder why the
SSL can provide data privacy (with encryption) and assure the user or
consumer of the service provider's identity (with certificate-based
server authentication). OAuth doesn't do any of this.
A mix of HTTP and HTTPS can be used. For example, one could use HTTPS
for sending token secrets and
In theory, a service provider could handle a change of consumer
credentials, and continue to accept access tokens that it issued to
that consumer previously. But that seems dangerous. If the consumer
credentials were revealed to an attacker, it seems likely that access
tokens and secrets were also
Don't add an oauth_token parameter to params. OAuthClient.invoke will
do that for you.
It's not necessary to set accessor.tokenSecret, if you set the
accessToken and tokenSecret. In this case, accessor.tokenSecret
should be the secret that the service provider sent with the access
token.
--
The oauth_timestamp has no time zone; it's implicitly Universal Time
(also known as GMT). But OAuth service providers usually require
consumers' clocks to be fairly accurate.
You could try implementing your client to adapt to the server's clock.
It could look at the Date in the HTTP response
Some service providers put information into the access token, such as
the user identity, privileges granted etc. This can help performance
and scalability.
On Mar 3, 11:42 pm, PK pengk...@gmail.com wrote:
Can't the server just upgrade the temporary credentials to token
credentials and retain
This might give you some helpful information:
OAuthResponseMessage response = ...
responseCode = response.getHttpResponse().getStatusCode();
if (responseCode != 200) {
MapString, Object dump = response.getDump();
System.out.println(dump.get(HttpMessage.REQUEST));
Where's the latest specification of two-legged OAuth? The last one I
saw was
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html
But I wonder if there's a newer one. At IETF, perhaps?
--
You received this message because you are subscribed to the Google Groups
You might find it helpful to add some diagnostic information to the
response; for example http://oauth.pbworks.com/ProblemReporting
--
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To
The net.oauth library works with LinkedIn. For example:
http://bitbucket.org/jmkristian/testoauth/src/tip/src/main/java/net/oauth/example/consumer/LinkedIn.java
On Apr 6, 3:32 pm, Pablo Fernandez fernandezpabl...@gmail.com wrote:
I've developed a new OAuth library for java that is ... the only
The net.oauth library is the oldest. It's been used in Shindig, by
LinkedIn and some other companies I'm aware of. It works with several
HTTP clients: the Java standard HttpURLConnection, and Apache versions
3.x and 4.x.
--
You received this message because you are subscribed to the Google
You can set the oauth_callback parameter dynamically, like this:
OAuthServiceProvider provider = ... // not including oauth_callback
String callbackURL = ...
String authorizationURL =
OAuth.addParameters(provider.userAuthorizationURL,
OAuth.OAUTH_CALLBACK, callbackURL);
// Next, direct the
Thank you for the patch. I'll review it this weekend.
It's nice to hear you're getting some value from this software.
On May 5, 7:32 pm, Matt matt.la...@gmail.com wrote:
I opened issue 156 a couple of weeks ago, including a patch to fix the
problem. There hasn't been activity on the bug, so
The OAuth spec doesn't require tokens to be URL-safe. It's nice if
they are, but it's not required.
Tokens (and other parameters) from the service provider are percent
encoded. See http://tools.ietf.org/html/rfc5849#section-2.1 and
http://tools.ietf.org/html/rfc5849#section-2.3
Request
Several implementations of OAuth in Python already exist. It would
probably help to use one, or at least look at its source code. For
examples see http://oauth.net/code/
I'm not familiar with Python, but it looks like the code above fails
to percent encode values in several places, and fails to
I assume you used Maven to build a .war from
http://oauth.googlecode.com/svn/code/java/example/oauth-provider
Perhaps you didn't deploy the .war to /OAuthProviderEKM. To check,
direct your browser to http://localhost:8080/OAuthProviderEKM/
If the .war was deployed correctly, you'll see a page
Please don't make any changes that are incompatible with existing
applications of the net.oauth library.
Since OAuth 1 and OAuth 2 use conflicting terminology, I recommend
creating a new package net.oauth.v2. For example, you can create the
class net.oauth.v2.OAuthClient, with minimal confusion
It's vendor specific.
--
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at
The only one I know is http://oauth.googlecode.com/svn/code/maven
--
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to
74 matches
Mail list logo