Re: [oauth] Re: 3-legged OAuth without application registration

2010-02-23 Thread Allen Tom 
Service Providers that allow the "anonymous" consumer key don't really have
a way to identify the application to the user, other than the domain of the
callback url. Unfortunately, due to open redirectors and other web
vulnerabilities, a malious website could hide their true identity behind a
redirector. (for instance, anyone can use a bit.ly url)


It might make sense for your clients to specify an optional client name,
similar to a web browser's User Agent string. As with the browser user
agent, the value of this string is completely untrusted, however it might be
useful to use when identifying the client to the user.

Allen



On 2/22/10 3:27 AM, "zemi"  wrote:

>
> But at the same time I need to 'auto' register the consumers the way
> they are unique (URL?) so I can identify them on provider side - that
> an user can revoke access token later if needed.
> Do I actually need to create consumer key/secret for each request or
> the token only?
> What do you think?
> 
> Regards,
> Matus
> 
> On Feb 22, 2:50 am, Allen Tom  wrote:
>> Perhaps a Googler can jump in on this ­ Google allows Oauth apps to use
>> ³anonymous² as their consumer key, with ³anonymous² as their consumer
>> secret. These apps do not need to pre-register for a consumer key.
>> 
>> See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous²
>> consumer 
>> key:http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
>> 
>> This also means that the oauth_callback URL is not bound to any particular
>> domain and can be anything.
>> 
>> I personally think that this is a great way to lower the barrier for
>> developers to start using Oauth protected APIs. However, Yahoo and many
>> other Service Provders are not able to allow for the anonymous consumer key
>> due to legal requirements (we require our developers to agree to a legal
>> terms of use), as well as business requirements (we want contact info for
>> our developers).
>> 
>> As far as the original poster¹s question asking how Service Providers can
>> implement this ­ I think the anonymous consumer key implementation is pretty
>> straightforward. I suppose the UI for the approval screen as well as the
>> token management/revocation screens could be strange (what does the SP call
>> the app on these screens?). It could also be tricky to implement a kill
>> switch if the SP wants to pull the plug on a rogue app using the anonymous
>> consumer key.
>> 
>> Allen
>> 
>> On 2/20/10 11:33 PM, "Vinod facebook"  wrote:
>> 
>> 
>> 
>>> Hi zemi,
>> 
>>>  This can be done using asymmetric key cryptography. For example if
>>> abc.com   is a service provider and if they wanna add a
>>> gadget
>>> to google.com  (consumer) to offer their services to
>>> their
>>> clients using google.com  . Google signs all requests to
>>> service provider using a private key and the service provider uses a public
>>> certificate provided by google to verify all the requests originating from
>>> google to be authentic and legitimate. This signing and validation of
>>> request
>>> messages happens at both the ends(consumer and service provider). With this,
>>> a
>>> prior registration is not required on the service provider side.
>> 
>>> A list of open social public certificates are provided in the following
>>> link:
>> 
>>> https://opensocialresources.appspot.com/certificates
>> 
>>> The following link provides you an insight into implementing signed fetch
>>> using asymmetric key cryptography. The same can be used with 3-legged oauth.
>> 
>>> http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
>> 
>>> Note: There is no such 'anonymous consumer key' as per my understanding. If
>>> you view the list of public certificates, along with the public certificate
>>> a
>>> corresponding oauth_consumer_key is provided and is a fixed value.
>> 
>>> With Regards,
>>> R.Vinod Kumar
>> 
>>> On Fri, Feb 19, 2010 at 5:49 AM, zemi  wrote:
 Hi everybody,
 I need a consumer to request (3-legged) 'request' tokens without
 previous registration on provider side.
 I've noticed Google and Plaxo support this with 'anonymous' consumer
 key? How exactly is this then handled on provider side? Do they create
 token only or consumer key also?
 Thanks for help folks!
>> 
 Regards,
 zemi
>> 
 --
 You received this message because you are subscribed to the Google Groups
 "OAuth" group.
 To post to this group, send email to oa...@googlegroups.com.
 To unsubscribe from this group, send email to
 oauth+unsubscr...@googlegroups.com
  .
 For more options, visit this group at
 http://groups.google.com/group/oauth?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@

[oauth] Re: 3-legged OAuth without application registration

2010-02-22 Thread zemi 
Thanks for both answers!

Vinod: Can using certificates be replaced by SSL connection (isn't
OAuth WRAP about it?) or is it something different?

I would like to use this 'anonymous-consumer' approach in distributed
application so any of these app instances can use others services
without pre-registration.
But at the same time I need to 'auto' register the consumers the way
they are unique (URL?) so I can identify them on provider side - that
an user can revoke access token later if needed.
Do I actually need to create consumer key/secret for each request or
the token only?
What do you think?

Regards,
Matus

On Feb 22, 2:50 am, Allen Tom  wrote:
> Perhaps a Googler can jump in on this ­ Google allows Oauth apps to use
> ³anonymous² as their consumer key, with ³anonymous² as their consumer
> secret. These apps do not need to pre-register for a consumer key.
>
> See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous²
> consumer 
> key:http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
>
> This also means that the oauth_callback URL is not bound to any particular
> domain and can be anything.
>
> I personally think that this is a great way to lower the barrier for
> developers to start using Oauth protected APIs. However, Yahoo and many
> other Service Provders are not able to allow for the anonymous consumer key
> due to legal requirements (we require our developers to agree to a legal
> terms of use), as well as business requirements (we want contact info for
> our developers).
>
> As far as the original poster¹s question asking how Service Providers can
> implement this ­ I think the anonymous consumer key implementation is pretty
> straightforward. I suppose the UI for the approval screen as well as the
> token management/revocation screens could be strange (what does the SP call
> the app on these screens?). It could also be tricky to implement a kill
> switch if the SP wants to pull the plug on a rogue app using the anonymous
> consumer key.
>
> Allen
>
> On 2/20/10 11:33 PM, "Vinod facebook"  wrote:
>
>
>
> > Hi zemi,
>
> >  This can be done using asymmetric key cryptography. For example if
> > abc.com   is a service provider and if they wanna add a 
> > gadget
> > to google.com  (consumer) to offer their services to 
> > their
> > clients using google.com  . Google signs all requests to
> > service provider using a private key and the service provider uses a public
> > certificate provided by google to verify all the requests originating from
> > google to be authentic and legitimate. This signing and validation of 
> > request
> > messages happens at both the ends(consumer and service provider). With 
> > this, a
> > prior registration is not required on the service provider side.
>
> > A list of open social public certificates are provided in the following 
> > link:
>
> >https://opensocialresources.appspot.com/certificates
>
> > The following link provides you an insight into implementing signed fetch
> > using asymmetric key cryptography. The same can be used with 3-legged oauth.
>
> >http://wiki.opensocial.org/index.php?title=Validating_Signed_Requests
>
> > Note: There is no such 'anonymous consumer key' as per my understanding. If
> > you view the list of public certificates, along with the public certificate 
> > a
> > corresponding oauth_consumer_key is provided and is a fixed value.
>
> > With Regards,
> > R.Vinod Kumar
>
> > On Fri, Feb 19, 2010 at 5:49 AM, zemi  wrote:
> >> Hi everybody,
> >> I need a consumer to request (3-legged) 'request' tokens without
> >> previous registration on provider side.
> >> I've noticed Google and Plaxo support this with 'anonymous' consumer
> >> key? How exactly is this then handled on provider side? Do they create
> >> token only or consumer key also?
> >> Thanks for help folks!
>
> >> Regards,
> >> zemi
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "OAuth" group.
> >> To post to this group, send email to oa...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> oauth+unsubscr...@googlegroups.com
> >>  .
> >> For more options, visit this group at
> >>http://groups.google.com/group/oauth?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
"OAuth" group.
To post to this group, send email to oa...@googlegroups.com.
To unsubscribe from this group, send email to 
oauth+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/oauth?hl=en.