Deepak Shetty wrote:
That can't be right. You mean Internet explorer / firefox will sign this?
As far as I understand this is between two websites , where one relies on
the other to perform the actual authentication and they pass signed tokens
to securely get this information across.
I looked at a demo http://twitteroauth.appspot.com/ ,which seems to
indicate the above. (in a Java app world this is very similar to SAML,
something I have done in Jmeter without needing any additional libraries)
As far as I know, there is no support in Firefox or IE for OAuth, unless
you have custom extensions. There is certainly no support required.
OAuth is a mechanism for machine to machine authentication in the name
of a user. It is designed for those cases where it would be really
useful to give an external site/application your password, but you
obviously don't want to give out your password.
OAuth allows the end user to use OAuth tokens instead of login details,
which means that you can allow a third party site to access all or part
of your Twitter profile, to continue the example. The third party site
will store an OAuth token, and it can use this token to log in to
Twitter as you.
As it happens, I have implemented the bulk of the OAuth protocol in
Python. It's a simple protocol, and easy to do, but because all of the
data you send is signed and checked, the smallest thing like extra
line-feeds can break it completely - it's best to use an existing tested
implementation.
And it is technically possible to use OAuth without SHA1, I think that
the only other option is plaintext, which offers no security, and
removes the major performance hits on the server.
Cheers,
Ronan
regards
deepak
On Thu, Oct 22, 2009 at 12:19 AM, Ronan Klyne <[email protected]>wrote:
Deepak Shetty wrote:
hi
maybe im missing something, but how exactly does OAuth differ from any
other
HTTP web based app (the signing etc is still done at the server and passed
around in hidden fields etc) is it not?
No. The client is required to be able to sign the request using the access
key secret. At the very least, this requires some implementation of SHA1,
and some careful coding.
It's probably possible to do this in a BSF/Java pre-processor, but it might
take a lot of fiddling and testing to get it right.
Ronan
regards
deepak
On Tue, Oct 20, 2009 at 1:48 PM, Milamber <[email protected]>
wrote:
Hello,
On JMeter dev-list, one thread :
http://mail-archives.apache.org/mod_mbox/jakarta-jmeter-dev/200904.mbox/%3cc60d0f8e.f1bd0%[email protected]%3e
and 1 bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47040
Milamber
Le 20/10/2009 11:49, nikolaos prodromidis a ecrit :
Hi all,
Is there anyway of using jMeter to complete the OAuth authentication
process? Has this been done before or even talked about?
Thanks, Nikos.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
