[oauth] Re: [OAUTH-WG] OAuth WRAP
On Tue, Nov 10, 2009 at 1:40 PM, Paul C. Bryan wrote: It seems to me that without simple guidelines on what's reasonable to be called "OAuth", anyone can propose a protocol that purports to be related in some way to OAuth, at the expense of community confusion and dilution of its meaning. Is there a way to mitigate this kind of occurrence other than by simply dismissing it as noise? Hi Paul, This is an important point and one that drove the move to rename WRAP to OAuth WRAP. Let me explain how this decision was made, with an eye to what it means for other projects calling themselves "OAuth". Dick Hardt originally reached out to various members of the OAuth community in August and explained what he, Brian Eaton, and Allen Tom were working on (perhaps there were others, but they seem like the core group). At the time, they called the initiative "Simple OAuth" — "simple" because of its reliance on HTTPS for handling the crypto. While moving the crypto to SSL simplified the protocol and removed the need for signing (the biggest problem for developers implementing OAuth) it created a new burden, which was obtaining a certificate. Now, the point was made to me that anyone serious about security will have to obtain an SSL cert anyway, so that wasn't such a big deal. However, from the perspective of the individual or independent developer, I felt like this was a fairly serious change in OAuth, and a challenge to the promise of the OAuth protocol (namely one protocol for authorization, regardless of the size of your organization). I want people who run their own WordPress installs on a shared host to be able to use OAuth just as large providers like Google and Yahoo do. I didn't want this new effort to use the name OAuth for exactly the reasons that you specified. This seemed like a fork of the project and a dilution of the brand. It also seemed to conflict with Eran's work here at the IETF and I encouraged Dick to seek a more transparent process to developing the protocol. Several weeks went by and progress was made — including the eventual renaming of the protocol to WRAP. This seemed like a fairly satisfactory development. At IIW, Dick presented a joint session with Brian Eaton (Google) on WRAP. There was considerable interest and many suggestions and improvements were proposed. Following the session, I reconsidered my position. My original concern with WRAP (when it was called "Simple OAuth") was that it would fragment the efforts of the community. If a new protocol came out calling itself "Simple OAuth", people would gravitate to it and potentially abandon work on improving the core spec. Now with WRAP clearly taking cycles from the people at Yahoo, Google, and Microsoft who would otherwise be working on OAuth Core, we had a decision to make: refuse them the ability to use the brand or find a middle ground that might pave the way for similar implementation-driven projects to find a foothold in the OAuth community. On top of that, the OAuth community must confront the simplicity and elegance of Facebook Connect. Although not everyone is paying attention to Facebook, theirs is a significant enough distraction from standards-based work that we must keep in mind that OAuth does not exist in a vacuum. From a competitive perspective, we must constantly work to improve our technology, and make it easier to adopt the "open" and "universal" solution — to the point where Facebook could adopt it. In that light, it's also important to remember where OAuth came from. The original contributors to OAuth were a small, tight knit group of folks solving a problem that each of them shared. They looked to the work that had come before them — for patterns and solutions that had been established by the Googles, Yahoos, Flickrs, Microsofts, and AOLs of the web. What they came up with was, unexpectedly, adopted by most of the companies that were the inspiration for the universal solution. That said, looking back, OAuth itself was largely developed in semi-secrecy, with a closed mailing list and a private spec that didn't see the light of day until months into the process. I know this because I was the one that made the decision to keep our work private. Whether we like it or not, the best work doesn't always come from completely transparent processes and so I'd be a hypocrite if I didn't evaluate WRAP in the same light that lead to the original success of OAuth. Now, when it came to deciding what to call WRAP, well... that was more of a political calculation than a technical one. Dick had done the right thing in coming to us early and telling us what he was working on. I wish it had happened on the public list, but that was his decision to make and the fact of the matter is: they're damned near a 1.0 spec and are now ready for feedback. This is a perfectly valid way to develop specs and standards — especially since they're leading with an implementation. OAuth Core 1.0 captured the best thinking around del-auth whe
[oauth] Re: which php libraries are people using?
I don't know if anyone has mentioned EpiOAuth. http://github.com/jmathai/twitter-async --- Nicholas Granado twitter: heatxsink web:http://nickgranado.com email: ngran...@gmail.com On Wed, Nov 11, 2009 at 11:40 AM, Melvin Carvalho wrote: > > On Wed, Nov 11, 2009 at 5:58 PM, camilo_u wrote: > > > > > > There is a Zend Framework proposal currently testing called > > Zend_OAuth: > > > > http://framework.zend.com/wiki/pages/viewpage.action?pageId=37957 > > > > You can take a look at the code here: > > > > > http://framework.zend.com/svn/framework/standard/incubator/library/Zend/Oauth/ > > > > One of the proposer, Pádraic Brady, has a sample implementation with > > Twitter: > > > > > http://blog.astrumfutura.com/archives/411-Writing-A-Simple-Twitter-Client-Using-the-PHP-Zend-Frameworks-OAuth-Library-Zend_Oauth.html > > Also recently came across this twitter impl. also on github > > http://github.com/abraham/twitteroauth > > > > > As far as i know it's ready with the OAuth Core 1.0 Revision A, and > > hopefully it will be availabe on the Zend Framwork 1.10, so this will > > be a very common library soon. > > > > Regards, > > > > Camilo Usuga > > > > > > On 10 nov, 16:56, Jeff Hodsdon wrote: > >> There is also a PEAR library,http://pear.php.net/package/HTTP_OAuth, > >> which has classes for being a provider. > >> > >> -jeff > >> On Nov 6, 2009, at 8:21 AM, Joseph Smarr wrote: > >> > >> > Thanks Morten. I'd really encourage you to finish up those patches > >> > and submit them, since I think a lot of people do use that OAuth > >> > library. I'm happy to do a code review or otherwise take a look at > >> > it if that's useful to you. > >> > >> > Thanks, js > >> > >> > On Fri, Nov 6, 2009 at 12:34 AM, Morten Fangel < > fan...@sevengoslings.net > >> > > wrote: > >> > Hi, > >> > >> > I did some of the most recent patches on thehttp:// > oauth.googlecode.com/svn/code/php/ > >> > library.. And speaking of two-legged and rev. a. - I actually have > >> > done work on those, I just haven't had time to finish up on the work > >> > (but they are running on the OAuth Sandbox which can be found > athttp://oauth-sandbox.sevengoslings.net > >> > - so it does work) > >> > >> > Just to let people know that the library isn't dead.. ;) > >> > >> > -Morten > >> > >> > On Nov 5, 2009, at 9:49 PM, Joseph Smarr wrote: > >> > >> >> It seems like there are several actively maintained PHP OAuth > >> >> libraries, and it's not clear to me which are most up-to-date and/ > >> >> or widely used. The oauth.net/code page mainly featureshttp:// > oauth.googlecode.com/svn/code/php/ > >> >> which hasn't been updated since May 18, 2009. There's alsohttp:// > code.google.com/p/oauth-php/ > >> >> which looks more complicated but also more up-to-date. And there's > >> >> alsohttp://pecl.php.net/oauthwhich is a C extension for OAuth > >> >> that it looks like Rasmus et al have bene updating recently. > >> > >> >> Personally, I like (and use) > http://oauth.googlecode.com/svn/code/php/ > >> >> because it's simple (just one file), and I believe shindig-php > >> >> uses it too, but I don't think it has support for OAuth 1.0a or two- > >> >> legged OAuth, both of which are very standard now. I also recall > >> >> fixing a bunch of bugs in it that may or may not have ever landed > >> >> in the tree. > >> > >> >> So, should I add 1.0a and 2-legged support to this lib? If so, will > >> >> someone review and patch it and/or make me a committer? Has anyone > >> >> else already made these updates and just not shared it back? Or is > >> >> one of these other libraries now the "de facto standard PHP lib", > >> >> in which case shouldn't it be listed on oauth.net/code under PHP? > >> > >> >> Thanks, js > >> > >> > > > > > > > > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: which php libraries are people using?
On Wed, Nov 11, 2009 at 5:58 PM, camilo_u wrote: > > > There is a Zend Framework proposal currently testing called > Zend_OAuth: > > http://framework.zend.com/wiki/pages/viewpage.action?pageId=37957 > > You can take a look at the code here: > > http://framework.zend.com/svn/framework/standard/incubator/library/Zend/Oauth/ > > One of the proposer, Pádraic Brady, has a sample implementation with > Twitter: > > http://blog.astrumfutura.com/archives/411-Writing-A-Simple-Twitter-Client-Using-the-PHP-Zend-Frameworks-OAuth-Library-Zend_Oauth.html Also recently came across this twitter impl. also on github http://github.com/abraham/twitteroauth > > As far as i know it's ready with the OAuth Core 1.0 Revision A, and > hopefully it will be availabe on the Zend Framwork 1.10, so this will > be a very common library soon. > > Regards, > > Camilo Usuga > > > On 10 nov, 16:56, Jeff Hodsdon wrote: >> There is also a PEAR library,http://pear.php.net/package/HTTP_OAuth, >> which has classes for being a provider. >> >> -jeff >> On Nov 6, 2009, at 8:21 AM, Joseph Smarr wrote: >> >> > Thanks Morten. I'd really encourage you to finish up those patches >> > and submit them, since I think a lot of people do use that OAuth >> > library. I'm happy to do a code review or otherwise take a look at >> > it if that's useful to you. >> >> > Thanks, js >> >> > On Fri, Nov 6, 2009 at 12:34 AM, Morten Fangel > > > wrote: >> > Hi, >> >> > I did some of the most recent patches on >> > thehttp://oauth.googlecode.com/svn/code/php/ >> > library.. And speaking of two-legged and rev. a. - I actually have >> > done work on those, I just haven't had time to finish up on the work >> > (but they are running on the OAuth Sandbox which can be found >> > athttp://oauth-sandbox.sevengoslings.net >> > - so it does work) >> >> > Just to let people know that the library isn't dead.. ;) >> >> > -Morten >> >> > On Nov 5, 2009, at 9:49 PM, Joseph Smarr wrote: >> >> >> It seems like there are several actively maintained PHP OAuth >> >> libraries, and it's not clear to me which are most up-to-date and/ >> >> or widely used. The oauth.net/code page mainly >> >> featureshttp://oauth.googlecode.com/svn/code/php/ >> >> which hasn't been updated since May 18, 2009. There's >> >> alsohttp://code.google.com/p/oauth-php/ >> >> which looks more complicated but also more up-to-date. And there's >> >> alsohttp://pecl.php.net/oauthwhich is a C extension for OAuth >> >> that it looks like Rasmus et al have bene updating recently. >> >> >> Personally, I like (and use)http://oauth.googlecode.com/svn/code/php/ >> >> because it's simple (just one file), and I believe shindig-php >> >> uses it too, but I don't think it has support for OAuth 1.0a or two- >> >> legged OAuth, both of which are very standard now. I also recall >> >> fixing a bunch of bugs in it that may or may not have ever landed >> >> in the tree. >> >> >> So, should I add 1.0a and 2-legged support to this lib? If so, will >> >> someone review and patch it and/or make me a committer? Has anyone >> >> else already made these updates and just not shared it back? Or is >> >> one of these other libraries now the "de facto standard PHP lib", >> >> in which case shouldn't it be listed on oauth.net/code under PHP? >> >> >> Thanks, js >> >> > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: which php libraries are people using?
There is a Zend Framework proposal currently testing called Zend_OAuth: http://framework.zend.com/wiki/pages/viewpage.action?pageId=37957 You can take a look at the code here: http://framework.zend.com/svn/framework/standard/incubator/library/Zend/Oauth/ One of the proposer, Pádraic Brady, has a sample implementation with Twitter: http://blog.astrumfutura.com/archives/411-Writing-A-Simple-Twitter-Client-Using-the-PHP-Zend-Frameworks-OAuth-Library-Zend_Oauth.html As far as i know it's ready with the OAuth Core 1.0 Revision A, and hopefully it will be availabe on the Zend Framwork 1.10, so this will be a very common library soon. Regards, Camilo Usuga On 10 nov, 16:56, Jeff Hodsdon wrote: > There is also a PEAR library,http://pear.php.net/package/HTTP_OAuth, > which has classes for being a provider. > > -jeff > On Nov 6, 2009, at 8:21 AM, Joseph Smarr wrote: > > > Thanks Morten. I'd really encourage you to finish up those patches > > and submit them, since I think a lot of people do use that OAuth > > library. I'm happy to do a code review or otherwise take a look at > > it if that's useful to you. > > > Thanks, js > > > On Fri, Nov 6, 2009 at 12:34 AM, Morten Fangel > > wrote: > > Hi, > > > I did some of the most recent patches on > > thehttp://oauth.googlecode.com/svn/code/php/ > > library.. And speaking of two-legged and rev. a. - I actually have > > done work on those, I just haven't had time to finish up on the work > > (but they are running on the OAuth Sandbox which can be found > > athttp://oauth-sandbox.sevengoslings.net > > - so it does work) > > > Just to let people know that the library isn't dead.. ;) > > > -Morten > > > On Nov 5, 2009, at 9:49 PM, Joseph Smarr wrote: > > >> It seems like there are several actively maintained PHP OAuth > >> libraries, and it's not clear to me which are most up-to-date and/ > >> or widely used. The oauth.net/code page mainly > >> featureshttp://oauth.googlecode.com/svn/code/php/ > >> which hasn't been updated since May 18, 2009. There's > >> alsohttp://code.google.com/p/oauth-php/ > >> which looks more complicated but also more up-to-date. And there's > >> alsohttp://pecl.php.net/oauthwhich is a C extension for OAuth > >> that it looks like Rasmus et al have bene updating recently. > > >> Personally, I like (and use)http://oauth.googlecode.com/svn/code/php/ > >> because it's simple (just one file), and I believe shindig-php > >> uses it too, but I don't think it has support for OAuth 1.0a or two- > >> legged OAuth, both of which are very standard now. I also recall > >> fixing a bunch of bugs in it that may or may not have ever landed > >> in the tree. > > >> So, should I add 1.0a and 2-legged support to this lib? If so, will > >> someone review and patch it and/or make me a committer? Has anyone > >> else already made these updates and just not shared it back? Or is > >> one of these other libraries now the "de facto standard PHP lib", > >> in which case shouldn't it be listed on oauth.net/code under PHP? > > >> Thanks, js > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---