Hi Chris, Luca's list is good. Maybe you can add a section how someone could start implementing OAuth in his software. And start the section with a small list like Luca's.
Maybe you can add a warning about the problems with url encoding in different programming languages. And supply correct versions. I like to add that whenever you implement a protocol you have to read the spec first, or at least a good summary of the spec. The moment you understand the protocol (and also the spec) you can start implementing it. Whilst implementing it you add test cases so that you can validate your implementation. That is before you start using the protocol to talk to an external party. From Kent Brewster's comments I think he didn't read the spec before he started trying to implement OAuth. He also clearly didn't try out the published test cases. My impression is that he didn't have a full understanding of the OAuth protocol before implementing it. Programming any protocol, especially security related protocols, is careful work. You need to know what you are doing. You need to grow your software by testing. You need to understand the protocol thoroughly. That is why programmers use libraries for most protocols. As protocols go, OAuth is not that hard to implement. Testing it in a live situation is hard though, mostly due to the omission of sensible error messages. What could help OAuth is a better standardization of the error message returned. Errors like nonce reuse can then be easily caught and reported. - Marc On 28 apr 2009, at 09:20, Chris Messina wrote: > Thanks Luca, > > Let me ask this: what else could we be doing to make the "walk up" > experience of OAuth easier/better? > > I think that the website needs an overhaul (as do most of the Open/ > Social Stack sites!!). I'd like to know what we could do to make > these sites better — meeting a wider community of practice's needs. > > Chris > > On Tue, Apr 28, 2009 at 12:13 AM, Luca Mearelli <[email protected] > > wrote: > > On Tue, Apr 28, 2009 at 7:42 AM, Chris Messina <[email protected] > > wrote: > > Is OAuth this hard for everyone else? > > http://kentbrewster.com/oauth-confessions/ > > I think that we agree that OAuth *is* complex, and has a few hard > points (specially about the signing process e.g. the signature base > string composition) but if we think at what it's trying to do (passing > authorization around in a three subjects dance across untrusted > channels) that's understandable. > These are the things that have helped me (might be banal, might be > not...): > > - read the spec, try to understand the steps, > - look at the examples and walkthroughs (specially those at > hueniverse.com ) > - look at the examples from the library of your choice (the ruby one > in my case) > - try out with the test providers > - read the mailing list > > Luca > > > > > > -- > Chris Messina > Open Web Advocate > > factoryjoe.com // diso-project.org // openid.net // vidoop.com > This email is: [ ] bloggable [X] ask first [ ] private > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
