Deepak Shetty wrote:
OAuth allows the end user to use OAuth tokens instead of login details,
which means that you can allow a third party site to >access all or part of
your Twitter profile, to continue the example. The third party site will
store an OAuth token, and it can use >this token to log in to Twitter as
you.
Exactly. So whatever libraries you need are needed for the webapp you are
developing (If you were actually implementing the protocol). If you wanted
to test this out , you dont need anything special , the demo does work in a
standard browser (which is what we are simulating in Jmeter).
Yes, exactly right. The browser does not need any special libraries or
software to interact with that web site, as the browser does not do any
signing of OAuth requests.
I guess you
are saying libraries are needed if you want JMeter to act as the third party
right(which shouldnt normally be what you are testing out)?
Yes, libraries would be needed for that, but it's not as unusual as you
might think. OAuth is well suited to providing authentication to web
services and other APIs. It's not unreasonable to think that someone
might want to load test such an API...
Ronan
regards
deepak
On Fri, Oct 23, 2009 at 12:02 AM, Ronan Klyne <[email protected]>wrote:
Deepak Shetty wrote:
That can't be right. You mean Internet explorer / firefox will sign this?
As far as I understand this is between two websites , where one relies on
the other to perform the actual authentication and they pass signed tokens
to securely get this information across.
I looked at a demo http://twitteroauth.appspot.com/ ,which seems to
indicate the above. (in a Java app world this is very similar to SAML,
something I have done in Jmeter without needing any additional libraries)
As far as I know, there is no support in Firefox or IE for OAuth, unless
you have custom extensions. There is certainly no support required. OAuth is
a mechanism for machine to machine authentication in the name of a user. It
is designed for those cases where it would be really useful to give an
external site/application your password, but you obviously don't want to
give out your password.
OAuth allows the end user to use OAuth tokens instead of login details,
which means that you can allow a third party site to access all or part of
your Twitter profile, to continue the example. The third party site will
store an OAuth token, and it can use this token to log in to Twitter as you.
As it happens, I have implemented the bulk of the OAuth protocol in Python.
It's a simple protocol, and easy to do, but because all of the data you send
is signed and checked, the smallest thing like extra line-feeds can break it
completely - it's best to use an existing tested implementation.
And it is technically possible to use OAuth without SHA1, I think that the
only other option is plaintext, which offers no security, and removes the
major performance hits on the server.
Cheers,
Ronan
regards
deepak
On Thu, Oct 22, 2009 at 12:19 AM, Ronan Klyne <[email protected]
wrote:
Deepak Shetty wrote:
hi
maybe im missing something, but how exactly does OAuth differ from any
other
HTTP web based app (the signing etc is still done at the server and
passed
around in hidden fields etc) is it not?
No. The client is required to be able to sign the request using the
access
key secret. At the very least, this requires some implementation of SHA1,
and some careful coding.
It's probably possible to do this in a BSF/Java pre-processor, but it
might
take a lot of fiddling and testing to get it right.
Ronan
regards
deepak
On Tue, Oct 20, 2009 at 1:48 PM, Milamber <[email protected]>
wrote:
Hello,
On JMeter dev-list, one thread :
http://mail-archives.apache.org/mod_mbox/jakarta-jmeter-dev/200904.mbox/%3cc60d0f8e.f1bd0%[email protected]%3e
and 1 bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47040
Milamber
Le 20/10/2009 11:49, nikolaos prodromidis a ecrit :
Hi all,
Is there anyway of using jMeter to complete the OAuth authentication
process? Has this been done before or even talked about?
Thanks, Nikos.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
