[oauth] Re: A method for obtaining a consumer secret for an URL-based consumer identity
I imagine a service provider might want to revoke a consumer secret. You might specify how the service provider can signal that it has done so, to enable the consumer to automatically get a fresh consumer secret. You might extend http://oauth.pbwiki.com/ProblemReporting for the purpose. You might recommend that consumers limit the useful lifetime of a confirmation token. It seems like a good idea to invalidate a token after a single use and/or a fairly short time interval. When validating a confirmation token, it seems like a good idea to use HTTPS and to require that the consumer (HTTPS server) present a certificate issued by a trusted authority and matching the HTTPS server's host name. (Browsers often require this.) An entirely different protocol occurs to me. When requesting a consumer secret, the consumer could sign the request with its certificate. That is, the request contains a certificate, issued by a trusted authority, that matches the consumer key (that is the consumer's root URL). And the request is signed with the private key associated with that certificate. The service provider validates the certificate and uses the certificate's public key to validate the signature. If all is valid, it returns the desired consumer secret. The consumer would not send a confirmation token, and the service provider would not validate a confirmation token. Perhaps this won't work for OpenMicroBlogging. Perhaps it's a bad idea in general. :-) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth - signature_invalid problem
No, OAuth Core doesn't permit the consumer's secret to be used as the signature, when the signature method is HMAC-SHA1. A similar example that works is http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html . It uses other scripts from http://oauth.googlecode.com/svn/code/javascript/ . --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth - signature_invalid problem
Sorry to hear it doesn't work. What happened when you tried it? I've seen it work in Internet Explorer 7 on Windows. But it won't work if you simply load http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html , because the browser won't permit sending requests to other servers (for security reasons). To make it work, copy the page into a file and browse to the file. Does anyone know how to make it work in Firefox 3? There's a warning about security restrictions in http://oauth.googlecode.com/svn/code/javascript/README.txt On Jan 28, 5:50 am, Razak pcm...@gmail.com wrote: It's not working in IE browser. Do you have any code which works for both Mozilla Firefox IE? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Java OAuthClient.access
I propose to extend the Java oauth-core library to better support accessing protected resources, as follows. Please let me know if this is a bad idea, or there's a better way. In brief, I propose to add a method to OAuthClient: /** Send a request and return the response. */ public OAuthResponseMessage access (OAuthMessage request, ParameterStyle style) throws IOException; Unlike the existing 'invoke' method, it won't try to decide whether the response indicates success; it will merely return the response. A typical caller would evaluate the response, something like this: OAuthClient client = ...; OAuthAccessor accessor = ...; OAuthMessage request = new ...; request.addRequiredParameters (accessor); OAuthResponseMessage response = client.access (request, ParameterStyle.AUTHORIZATION_HEADER); switch(response.getHttpResponse().getStatusCode()) { case 200: ... case 400: ... I'm a little worried about feature creep: this is a step toward a general purpose HTTP client library. But it's a tolerably small step, I hope. I don't want to try to reproduce all the features of the Apache HTTP client libraries. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Problem accessing OAuthAccessToken
What service provider are you trying to use? The Google Data APIs? Check the URL. Google's access token URL is https://www.google.com/accounts/OAuthGetAccessToken , according to http://code.google.com/apis/gdata/auth.html#OAuth In the access token request, the oauth_signature must be computed using the request token secret; that is the oauth_token_secret the service provider sent with the request token. On Jan 31, 2:44 am, Razak pcm...@gmail.com wrote: I am sending the request for AccessToken same as the one for RequestToken except two changes. Changes, I made are 1. oauth_token included in header parameters 2. scope parameter removed. But still Iam not getting the response for AccessToken. Can you please help me in resolving the problem? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: should the oauth_signature paramater be the same for both RequestToken AccessToken
No; each request is signed separately, with a different token secret and parameters. The same signature method may be used, but the signatures will be different because they're computed from different inputs. At least, the nonce and/or timestamp must be different. On Jan 31, 2:03 am, Razak pcm...@gmail.com wrote: Can you please let me know whether the oauth_signature be the same for both RequestToken AccessToken requests? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: what is Signature base string in OAuth.?
See http://oauth.net/core/1.0/#anchor14 : The Signature Base String is a consistent reproducible concatenation of the request elements into a single string. The string is used as an input in hashing or signing algorithms. Software that implements OAuth usually has algorithms that compute oauth_signature, which construct the signature base string as a function of the request message. On Feb 4, 6:37 am, Razak pcm...@gmail.com wrote: What is Signature base string?. Where can I use that along with the request?. I do not understand the use of that string. Even in the documentation also, it is not mentioned the use of the base string. Where can I apply that?. I am using HMAC-SHA1 method in Google API. I could only know that it would be used only in signing request not for generating tokens. Is that correct?. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Java Library and java-twitter
To minimize dependencies, I recommend removing Java packages that you don't need. You can eliminate several dependencies this way, such as the Java Servlet API and both Apache HTTP client libraries. I'm thinking of moving parts of oauth-core into new modules; for example a module for consumers (clients) and another for service providers (servers). Would that be helpful? Are there other parts that you'd like to be in separate modules? On Apr 15, 7:45 am, Zhihong zhih...@gmail.com wrote: The OAuth lib itself builds fine but sometimes we embed OAuth library in other JARs. The build error occurs in a JMeter plugin for OAuth. We build the plugin with OAuth code so only one JAR is delivered. For use- cases like this, it's very important to keep the dependencies to a minimum. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: authorized access by url alone?
If you want to use standard OAuth libraries, use a full set of credentials: consumer key and consumer secret, token and token secret. It's more than you need, but some libraries require it all. If you need help using a specific library, this is a pretty good place to ask. On Apr 14, 10:32 pm, pkeane pjke...@gmail.com wrote: Assuming I (i.e., the web app) can get the access token, is it possible to construct a URL that can be placed in an i...@src in the rendered html to allow the browser to access a restricted image? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth for installed apps
To support invalidating credentials (e.g. in case of theft), a service provider should enable a user to identify them. A user faced with a list of unintelligible keys can't decide which one to invalidate. They need to be labeled 'Picasa on my laptop' or 'Picasa at the office' or something meaningful to the user. On Apr 12, 10:57 pm, John Kristian jmkrist...@gmail.com wrote: The service provider would enable a user to revoke her access tokens, e.g. in case they're stolen. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: POST and PUT with OAuth
As a rule, a server shouldn't look for OAuth parameters in the body of a request whose content-type isn't application/x-www-form-urlencoded (as specified by http://oauth.net/core/1.0/#consumer_req_param). In the OpenSocial example, the client could send an XML content-type, such as text/xml or application/xml. On Apr 24, 6:02 pm, Scott Seely sse...@myspace-inc.com wrote: The OAuth spec is silent on how to handle section 5.2 when an HTTP PUT |POST might be used to send in OAuth parameters AND resource content. For example, an OpenSocial endpoint uses OAuth for authentication and may post an XML encoded version of a Person. In this case, does a compatible OAuth endpoint have to accept OAuth parameters in the POST body or can it choose to only look for parameters in the HTTP Authorization header and on the query string? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Core 1.0 Rev A, Draft 2
I agree, the consumer should be informed whether the service provider is 1.0 or 1.0a, before it redirects the user for authorization. In addition to the reasons noted above, it enables a consumer to protect the user from the security hole in 1.0, by refusing to work with a 1.0 service provider. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Including the signature base string in signature_invalid errors
That sounds like a fine idea, to me. I'd prefer that the server send the information without being asked. We might as well follow established practice, if it works well. What does the Python library do, exactly? Are there popular service providers that do something similar? What do they do, exactly? By the way, what service providers have implemented the problem reporting extension? http://wiki.oauth.net/ProblemReporting On May 27, 12:59 am, Manish Pandit pandit.man...@gmail.com wrote: Do you folks think it is a good idea to include the base string/ normalized request parameters, etc. in the signature check failure error message? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Fix maven dependencies
I'll do that. Thanks for pointing it out. On Jun 11, 7:52 am, bowa bruno.w...@gmail.com wrote: Can someone with svn commit rights to the google code project change this and put a new build on the maven repo please ? thanks, bruno --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: problem with maven2
I corrected this, in version 20090531. I'm sorry I caused you difficulty. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Simplify OAuthCredentials
Done, in -r1052 of the Java library http://oauth.googlecode.com/svn/code/java/core/httpclient4/ Thanks for the suggestion. On Jun 8, 12:01 pm, Paul Austin paul.d.aus...@gmail.com wrote: Could a new constuctor be added which just accepted a consumerKey and consumerSecret and automatically created the accessor. This would be useful for the 2-legged case. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: problem with maven2
Source code: http://code.google.com/p/oauth/source/browse/#svn/code/java/core Maven repository: http://oauth.googlecode.com/svn/code/maven For example, oauth.jar: http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth/20090531/oauth-20090531.jar On Jun 12, 10:11 pm, Mandakini kumari pkumar...@gmail.com wrote: Where to get version 20090531 . Please give me link url link for it. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Java library changes
There are automated tests, mostly in a separate module net.oauth.core:oauth-test. I hope to add improvements, but nothing major soon. I'm not familiar with the Objective-C or PHP implementations. On Jun 18, 5:28 am, Monis monisiq...@gmail.com wrote: Hi John, It's good to see the new modularized implementation and consideration for different HTTP methods. I looked into this implementation about an year ago and comparing it with the current version, things have changed considerably, in positive direction. However, the only concern is the changing implementation for the java SP and consumer. Do you plan to make further changes to the current code? if yes, then how can I determine the major release, so as to update my project on major changes only. And can I be sure that the code confirms to the protocol i.e. test cases coverage percentage? Also, are the current consumer implementations for Objective-c, PHP workable with the updated Provider for Java? Thanks, Monis Iqbal --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth JS API results in signature_invalid at random
Yes, your request for an access token should be signed with the request token secret; that is the oauth_token_secret that you received with your request token. Also, requests for access to APIs should be signed with the access token secret, that is the oauth_token_secret that you received with your access token. I'm surprised that the service provider accepts requests that are signed without the token secrets. Here's a simpler way to construct the URL for requesting an access token, or access to an API. It yields the same result, letting oauth.js handle more of the details. var accessor = { consumerKey: '...', consumerSecret: '...', token: '...', tokenSecret: '...'}; var message = { method: GET, action: http://...;, parameters: [ ['oauth_signature_method', 'HMAC-SHA1'], ['xoauth_requestor_id', guid], ['format', 'json']]}; OAuth.completeRequest(message, accessor); var signedURL = OAuth.addToURL(message.action, message.parameters); On Jun 17, 10:49 pm, Matt Raible mrai...@gmail.com wrote: ... Looking at both Paul Donnelly's and yours, neither contains the tokenSecret in the accessor that's used to sign the access_token request, as well as any API requests. Am I correct in assuming that the tokenSecret (the auth_token_secret value returned after getting the initial token) is needed for these two calls? To be clear, I can reliably get a token and authorize it. After that, it seems like getting an access_token works 50% of the time and calling the api (with auth_token as a param in the URL) works 30% of the time. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth.net Java library release info
I recently committed a change to support the 1.0a spec, but it hasn't been released. I'll release it, if you like: -r1057 | 2009-06-17 22:31:12 -0700 (Wed, 17 Jun 2009) Added support for OAuth Core version 1.0a, specifically new parameter names and a method OAuthClient.getRequestTokenResponse. Sorry to say the library lacks good documentation. The closest thing to change history is the log in the Subversion repository, such as: version 20090531: Divided core into several Maven modules, to help minimize dependencies. The oauth-core module is now a hollow shell that depends on the other core modules. version 20090522: Added support for more popular RSA key formats (thanks to Zhihong Zhang). Added a copy of the Base64 class, to avoid depending on commons-codec. Added the OAuth repository (at http://googlecode) to oauth-parent's pom.xml. version 20090408: treat any 2xx status code as successful added OAuthClient.httpParameters, to support changing the read timeout added OAuthSchemeFactory, OAuthCredentials and PreemptiveAuthorizer simplify constructing an OAuthMessage with a body version 20090315: added constants for problem reporting Reject requests in which an OAuth protocol parameter appears more than once. On Jun 23, 12:16 pm, rwallace rwallace1...@gmail.com wrote: I'm considering an upgrade of my OAuth.net java dependency. I'd like to know what has been done with it since the current version and if it supports the 1.0 Rev A spec, but I can't seem to find any release documentation saying what has changed from one version to another. I saw that some of the other languages have mailing lists just for them but don't see one for the Java implementation. Am I missing something somewhere? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth.net Java library release info
I released version 20090617 with support for 1.0a. On Jul 2, 9:57 am, Manish Pandit pandit.man...@gmail.com wrote: On Jun 23, 10:14 pm, John Kristian jmkrist...@gmail.com wrote: I recently committed a change to support the 1.0a spec, but it hasn't been released. I'll release it, if you like: +1 for releasing it.. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Two questions
The source code is in http://oauth.googlecode.com/svn/code/maven/net/oauth/oauth-core/20090315/oauth-core-20090315-sources.jar or you can get it from svn thus: svn checkout -r917 http://oauth.googlecode.com/svn/code/java/core On Jul 8, 3:47 am, Avi syndicatebk...@gmail.com wrote: 2) Is there any documentation of the classes in oauth- core-20090315.jar? If not where can I find the individual classes with their javadocs? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Java Desktop Sample
After you've authorized, DesktopClient.access expects Mediamatic to redirect your browser to its embedded server; that is the Jetty server to which the local variable access.server refers. The URL is something like http://localhost:5298/oauth/callback. It sounds like Mediamatic isn't doing that. Has Mediamatic upgraded to OAuth 1.0a recently? On Jul 14, 8:48 pm, monkeyvu phamanhvu101...@gmail.com wrote: I have run the sample application Mediamatic.java but it's hang at the following statement: accessor.wait(); That statement is in DesktopClient.java file. The snippet of the function is: BareBonesBrowserLaunch.browse(authorizationURL); accessor.wait(); if (accessor.accessToken == null) { getOAuthClient().getAccessToken(accessor, null, null); } Actually, it opened a new browser with authorization URL, then I got the code from the site, enter that code into the running application , close the browser but nothing happened. The application just kept running and looks like it's hang... --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How should the be notified if a request for authorization is denied?
I would pass a verifier, perhaps oauth_verifier=placeholder. I imagine a careless consumer might behave badly if the verifier is absent. On Jul 13, 4:48 pm, Richard Wallace rwall...@thewallacepack.net wrote: The OAuth spec section 6.2.3 states that If the User denies access, the Consumer MAY be notified that the Request Token has been revoked. At first I was thinking that I would just flag the request token as being denied on the service provider and then when the consumer tries to swap tokens specify that the oauth_problem is permission_denied. But when the service provider redirects the user to the consumer callback URI, should I still pass the verifier parameter or not bother? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: File Upload
Try calling client.access, instead of client.invoke. The invoke method is intended for requesting OAuth tokens, not accessing protected resources. On Jul 9, 3:43 pm, Siahm siahm@gmail.com wrote: Hello I am trying to upload a file with OAuth and I can´t. I get error 500 or 200, but I am looking for 201 response. I am using this code: ... params.put(param01, value01); aouthRequest = access.newRequestMessage(method, baseUrl, params.entrySet(), new FileInputStream(file)); aouthRequest.getHeaders().add(new OAuth.Parameter(Content-Length, String.valueOf(file.length(; //Validation is ok at this point aouthRequest.validateMessage(access, new SimpleOAuthValidator()); OAuthMessage rs = client.invoke(aouthRequest, net.oauth.ParameterStyle.AUTHORIZATION_HEADER); I have checked the oauth_ parameters and they are right. I have also try to put content type headers and it fails. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How to share (auth) our embedded SaaS content
OAuth would enable slave servers to send HTTP requests directly to master servers, with assurance that a user authorized each request. If you need this, OAuth is a reasonable choice; if you don't, it probably isn't. On Jul 18, 8:14 am, Douglas dugca...@gmail.com wrote: Please be gentle ;-) ... I've read the OAuth introduction and scenarios but I think our need is a little different ...however, I wanted to bounce this off the OAuth community as perhaps I have yet to see the true abstractions available in the implementation. Our use case: We offer SaaS services built and branded to look like what ever site we have partnered with ... thus our site is a 'slave' to a 'master' site where authentication takes place. The user experience hides the fact that the user is accessing our site. When the user needs our services, we must depend on an authentication having taken place on the 'master' site. We would like to verify the request coming from the 'master' site without having to build unique, one-off 'is that really you and is this request good?' interactions with each master site that hosts our content. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Getting started with OAuth...
You can generate javadoc like this: svn checkout http://oauth.googlecode.com/svn/code/java/core cd core mvn javadoc:javadoc You'll find the javadoc in target/site/apidocs/index.html. There's a beginner's guide http://oauth.net/documentation/getting-started Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. On Jul 24, 10:53 pm, mw_java michaelwilso...@gmail.com wrote: I looked at the following URLs and noticed that there was no JavaDocs included with these libraries: http://oauth.googlecode.com/svn/code/java/core/ http://spring-security-oauth.codehaus.org http://code.google.com/p/oauth-signpost/ Question(s): (1) What is the best way to get up to speed with the OAuth libraries? (2) Can an OAuth token be expired or revoked? (3) What's the best tutorial / online resource for learning OAuth? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Want to make sure I have this right - oAuth 2 Legged
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Want to make sure I have this right - oAuth 2 Legged
The consumer key, consumer secret and nonce should be unguessable. A popular choice is bits from a cryptographically strong random number generator, encoded as letters and numerals. The nonce should not be a predictable function of other data. Don't add salt to the signature algorithm. That won't conform to OAuth. (You might consider the consumer secret to be salt.) On Jul 19, 5:51 pm, logix812 aventure...@gmail.com wrote: Now, the $signature could be generated a different way, so long as it was hashed under the provided oauth_signature_method. eg (adding a shared salt that both the consumer and the service provider know about): $signature = hash_hmac('sha1', $consumer_key.$shared_salt, $consumer_secret); Now, in both cases, when the Service Provider receives the request it can look at the signature, and perform it's own hash, under the same rules that the consumer generated their hash. Assuming service providers hash is equal to the signature, the Service Provider knows the request is signed, and can continue. This is the reason the consumer does not want to let anyone know what it's secret is. The $consumer_secret is effectively the password. Do I have the right idea for oauth_signature/$signature? oauth_nonce / $nonce, aside from marking request, so they cannot be used again, this is another place where the request can effective be signed. so long as both the service provider know how it was created, so that it can validate it. One possible way to create this value would then be: $nonce = hash('md5', $time.$consumer_secret.$consumer_key); Assuming the service provider knows the Consumer is using $time as part of the hash(which it will be receiving in oauth_timestamp), it should always generate a unique value. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Getting started with OAuth...
The OAuth Core spec mandates that service providers enable users to revoke access tokens. And it mentions that a service provider should send HTTP response code 401 when it receives an expired token. However, it says nothing about how a user would ask to revoke a token, why a service provider might revoke a token, when or why tokens might expire, how a consumer can determine that a token has expired or been revoked, or what a consumer should do in these situations. On Jul 25, 3:36 pm, mw_java michaelwilso...@gmail.com wrote: Could you elaborate on what you meant by this? On Jul 25, 12:17 pm, John Kristian jmkrist...@gmail.com wrote: Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth: Authenticating JAX-RS (Jersey) with an iPhone Client App?
I've read that an iPhone app can't retrieve Key Chain items that were stored by other apps. http://www.softwareops.com/blogs/iPhone/iPhoneDevBlog_files/b4452aa19b4b4d6fb2a7c149dbacaa75-33.html If true, the Key Chain would be a good place to store token secrets. On Jul 26, 11:25 am, Monis monisiq...@gmail.com wrote: John mentioned an interesting use case for a crooked iPhone app to steal the consumer secret of a legible app on the same phone. I also think that the key chain in iPhone can be read by other apps on it but we can encrypt the secret to prevent such an attack. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: PHP Response Codes
http://wiki.oauth.net/ProblemReporting is applicable. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Is there a specific group/mailing list for the OAuth Java library?
No. :-) On Aug 6, 10:55 am, javacat henrik.mar...@rovicorp.com wrote: Hi folks. I joined the OAuth group and mailing list yesterday. It seems like this group is a general OAuth discussion forum, but I'm mainly interested in the Java library implementation. Is there a specific group or mailing list for just the Java library? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth server
There's an example service provider at http://code.google.com/p/oauth/source/browse/#svn/code/java/example/oauth-provider But it doesn't do what Shunde wants. I don't find any code at http://code.google.com/p/oauth-java/ On Aug 15, 2:15 am, michael_h mic...@gmail.com wrote: http://code.google.com/p/oauth-php/(PHP) http://code.google.com/p/oauth-java/(Java) Michael On Aug 14, 1:42 pm, Shunde Zhang dickie.ch...@gmail.com wrote: Hi Manish, Thanks for your information. Could you give me the link to the oauth server on google code? And is there a doc on how to install it with other identity providers? Thanks a lot, Shunde. On Aug 14, 3:08 pm, Manish Pandit pandit.man...@gmail.com wrote: On Aug 11, 8:29 pm, Shunde Zhang dickie.ch...@gmail.com wrote: Hi, I am interested in OAuth and want to set up my own oauth env. From the website, all I found are oauth client libs. I would like to know whether there are open source oauth servers, or apache modules. What I want to set up is just like how google oauth works, I have an LDAP server, and want to set up something on top of that to let users authenticate against it with oauth protocol, then I set up another service provider so that users can attach the token when accessing it, and the service provider can validate the token with the oauth server. Is there anything like this yet? Cheers, Shunde There are sample oauth servers on code.google.com in PHP and Java (not sure about others). However these may need to be customized per your needs but act as a very good reference implementations. You can use any identity/auth server - OAuth does not rely on the authentication store, it delegates the authentication process to the identity provider. The end user will still login as if he were logging into the identity provider's site - OAuth is handed back the control after the auth is done at the identity provider. In other words, you'd need to have that login part on your site regardless of OAuth. -cheers, Manish- Hide quoted text - - Show quoted text - --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Timing Attacks against OAuth implementations
The Java implementation http://code.google.com/p/oauth/source/browse/#svn/code/java/core/commons/src/main/java/net/oauth validates timestamp and nonce before signature. I've just committed changes to defend against a timing attack. It accepts plaintext signatures by default, but one can make it reject plaintext signatures by calling OAuthSignatureMethod.unregisterMethod(PLAINTEXT). On Aug 14, 1:38 pm, Pelle Braendgaard pel...@gmail.com wrote: From what I can see you would need only one variable for it to be feasible, that is the consumer secret on a request token request. However since the nonce and timestamp have to be changed I don't think it's feasible for any of the digest based attacks (nor the rsa one). I also just made a test request against agree2 attempting to set PLAINTEXT and it did not accept it, so I'm glad we handled that case back when we wrote the OAuth Ruby gem. You might want to check your oauth implementation for this if you're not using the standard ruby implementation. I have no idea how Python, Java, .net etc handle this. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Unknown authorization header Error 401
The signature base string should begin: POSThttp%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds%2Fdefault%2Fprivate %2Ffullgsessionid Technically it's incorrect for the authorization header to contain a gessionid parameter; the standard place to put it would be in the URL query string. But Google tolerates this, I imagine. Here's a little tool for checking signature computation: http://oauth.googlecode.com/svn/code/javascript/example/signature.html On Aug 18, 7:31 pm, Randy rglissm...@gmail.com wrote: I've been successful with GET and now trying to use POST. I've used the following base string for the signature: POST%3A%2F%2Fgsessionid %3DxpjA3uUinQTbCxbUtD3Thw%26oauth_consumer_key%3Dwww.heartwoodtech.com %26oauth_nonce %3Dcac46ac76242d8974f2a1eb883a6cb47%26oauth_signature_method%3DHMAC- SHA1%26oauth_timestamp%3D1250648662%26oauth_token %3D1%252FHRwOZSEYw5mwU0q89a7J7mATiaQZnWPB51nTvo8n9Sw%26oauth_version %3D1.0 Any ideas on what I'm doing wrong? POST /calendar/feeds/default/private/full HTTP/1.1 Host:www.google.com Accept: */* GData-Version: 2.0 Content-Type: application/atom+xml Authorization: OAuth gsessionid=xpjA3uUinQTbCxbUtD3Thw, oauth_consumer_key=www.heartwoodtech.com, oauth_nonce=cac46ac76242d8974f2a1eb883a6cb47, oauth_signature=opYs15Odhkde9PX5kuSV2ABvidk=, oauth_signature_method=HMAC-SHA1, oauth_timestamp=1250648662, oauth_token=1/HRwOZSEYw5mwU0q89a7J7mATiaQZnWPB51nTvo8n9Sw, oauth_version=1.0 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth on mobile devices - API key per device instead of per application
A user should be responsible for his access token secret. If he reveals it to an attacker, he should expect the attacker can impersonate him, just as if he gave his authorized mobile device to the attacker. An application can help prevent such a mistake, by making it difficult for the user to find his token secret. A user must trust the software that can use his secret. OAuth doesn't help with this; you need some other system for establishing trust. If malicious software can use an access token secret for signing, the attacker who controls the software can impersonate the user. Or if malicious software can reveal the secret to an attacker, the attacker can run software elsewhere that impersonates the user's device. On Aug 20, 9:00 am, Sunir su...@freshbooks.com wrote: It's insufficient to provide a key for each device, since the key can be cloned by an attacker and used on another device. e.g. if you gave Alice the consumer key AlicesPhone for her mobile, she could give her key to Bob and he can use it on his mobile and pretend to be Alice. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth on mobile devices - API key per device instead of per application
We're in uncharted territory here. At least I don't know of any working systems like this. So take my ideas with healthy skepticism. Yes, a service provider should be able to unauthorize a consumer easily. But if the consumer is composed of multiple applications (sharing a token and secret), OAuth doesn't provide a way to unauthorize the applications individually. (You might consider this a reason not to have multiple applications work as one consumer.) I tossed out a half-baked idea that some entity within the mobile device might control access by applications individually. It would need a way to identify unauthorized applications. On Aug 20, 6:23 pm, Sunir Shah su...@freshbooks.com wrote: On 20-Aug-09, at 9:03 PM, John Kristian wrote: If an application turns out to be malicious, I don't know how you can unauthorize it without unauthorizing other applications on the same device. Does Android provide some way for one software module to identify another, before cooperating with it? OAuth makes it easy to disable every single access token owned by a compromised consumer at once. You have the consumer key when you authorize the access token. You should store the consumer association with the access token. Then it's only one query to blow away all the compromised consumer's access tokens. Is there some notion of a module being signed by the organization responsible for it? If so, you might create a module that mediates usage of the token and secret, and can refuse usage by blacklisted applications. If I understand your question correctly, signing an application is irrelevant to the OAuth service provider, since you can fake any signature over the wire. It's only possible for the device's operating system to verify the signature because it has access to the application binary. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth on mobile devices - API key per device instead of per application
Rather than assign a different consumer secret to each device, I suggest each device get a unique access token secret using OAuth; that is by asking the user to authenticate to each service provider and authorize the device. (The token secret and consumer secret are separate elements in OAuth.) Yes, a determined user can find his own token secret. That's OK. The problem is allowing someone else (an attacker) to use the secret. To prevent that, applications should discourage the user from finding his token secret, and hide the secret from other, possibly malicious applications running on the same mobile device. The latter needs some infrastructure, to prevent applications from seeing each other's data. For a consumer copied to users' mobile devices (or desktops), a conventional consumer secret isn't very useful because it isn't really secret. Assume attackers will know it. You might as well publish it, as Google did. Look elsewhere for assurance that consumer software is trustworthy. I expect any healthy software market will have some way to help users trust the software they use. Yes, OAuth doesn't help fight piracy. (I mean the use of unauthorized copies or imitations of licensed software.) On Aug 20, 6:38 pm, Sunir Shah su...@freshbooks.com wrote: Sorry, the original proposal as I understood it was that every application gets a consumer secret for each mobile device. Presumably you could arrange this by cooking the binary every download with a different consumer secret. This is impossible in mobile environments with centralized distribution (iTunes, AppWorld). However, in those environments, this isn't really a problem. My first reaction was that there is no way to avoid piracy, since if Pirate Alice downloaded the app, she could post it on the Internet and anyone (i.e. Bob) could use it. However, I realize now that isn't the case, since you can monitor the use of the consumer secret, and if one secret seems overly used, you can destroy it disabling all pirates. Hello Windows Genuine Advantage. However, I would add in response to your suggestion, you should not rely on the premise that it is hard for the user to find their token secret since it is so easy to retrieve with common reverse engineering tools. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Redirecting a Consumer
Do OAuth service providers redirect consumers? I mean send HTTP status code 301, 302, 303 or 307 in response to a request for a token or access to a protected resource. If the first request wasn't a GET, should the consumer fail, send a GET or repeat the original method (e.g. POST)? If a consumer follows the redirect, should it generate a new timestamp, nonce and signature for the new request? I'd like to develop a Java library to make it easy to handle redirection, but I'm not sure what it should do. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Redirecting a Consumer
http://code.google.com/apis/calendar/faq.html#redirect_handling requires a consumer to repeat the original request (e.g. POST). The consumer must send either an S cookie or a gsessionid parameter from the redirect response, in this and subsequent requests in a session. I'm not sure what a 'session' is, but I guess requests on behalf of different users require different sessions. Each request must be correctly signed; so the second request must have a different oauth_signature if it has an added gsessionid parameter. It doesn't matter whether the second request has the same timestamp and nonce as the first. Do other service providers redirect their consumers? On Aug 24, 10:18 am, Tim Fletcher t...@tfletcher.com wrote: The Google Calendar API does. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: invalid sinature problem
Here's a simpler way, which works for me. import net.oauth.OAuth; import net.oauth.OAuthAccessor; import net.oauth.OAuthConsumer; import net.oauth.OAuthProblemException; import net.oauth.OAuthServiceProvider; import net.oauth.client.OAuthClient; import net.oauth.client.httpclient4.HttpClient4; import net.oauth.http.HttpMessage; public class YahooContacts { private static final String consumerKey = ... private static final String consumerSecret = ... public static void main(String[] args) throws Exception { OAuthClient client = new OAuthClient(new HttpClient4()); OAuthAccessor accessor = new OAuthAccessor( new OAuthConsumer( null, consumerKey, consumerSecret, new OAuthServiceProvider( https://api.login.yahoo.com/oauth/v2/get_request_token;, https://api.login.yahoo.com/oauth/v2/request_auth;, https://api.login.yahoo.com/oauth/v2/get_token;))); final String callback = oob; try { client.getRequestToken(accessor, null, OAuth.newList(OAuth.OAUTH_CALLBACK, callback)); System.out.println(OAuth.addParameters( accessor.consumer.serviceProvider.userAuthorizationURL, OAuth.OAUTH_TOKEN, accessor.requestToken)); } catch (OAuthProblemException problem) { System.err.println(problem.getParameters().get( HttpMessage.RESPONSE)); } } } The imports are available via Maven: dependency groupIdnet.oauth.core/groupId artifactIdoauth/artifactId version20090825/version /dependency dependency groupIdnet.oauth.core/groupId artifactIdoauth-httpclient4/artifactId version20090617/version /dependency repository idoauth/id nameOAuth Repository/name urlhttp://oauth.googlecode.com/svn/code/maven/url /repository On Aug 25, 6:04 am, stager0909 stager0...@gmail.com wrote: I want to use yahoo contact api. So I try oauth using HMAC-SHA1 algorithm. But I fail to acquire request token. result message : Unable to respond to any of these challenges: {oauth=OAuth oauth_problem=signature_invalid} --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: having trouble trying to get oauth js working on server side
Perhaps the timestamp is out of range because the server's clock is wrong. Check the signature base string, compared to http://oauth.googlecode.com/svn/code/javascript/example/signature.html If the base strings are the same but the signatures are different, b64_hmac_sha1 is wrong. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: How to obtain access_token using OAuthClient.getAccessToken?
The oauth_verifier should be sent to the service provider when requesting an access token, like this: client.getAccessToken(oAuthAccessor, null, OAuth.newList(oauth_verifier, params.getString(oauth_verifier)); On Sep 7, 1:52 am, stager0909 stager0...@gmail.com wrote: I want to get yahoo contact. So I obtain request_token and user login. But I fail to get access token ... public void obtainAccessToken() throws IOException, net.oauth.OAuthException, URISyntaxException { try { oAuthAccessor.setProperty(oauth_verifier, params.getString(oauth_verifier)); client.getAccessToken(oAuthAccessor, null, null); --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Trouble with the javascript library and timestamps (possible fix)
Thank you, David! A great idea, and a working implementation too. I committed a similar change to http://oauth.googlecode.com/svn/code/javascript/oauth.js It uses the query string parameter name oauth_timestamp, instead of servertime. For example, in PHP: script src=js/oauth.js?oauth_timestamp=?=time()? Can you say more about how you're using this? I'm pleasantly surprised to hear it's useful, since browsers don't allow cross-site scripting. By the way, Netflix no longer maintains this code (as far as I know). I wrote it, and maintain it in my spare time, but I work at LinkedIn now. On Sep 9, 10:50 am, David King da...@1daylater.com wrote: OK, I have created a simple fix that works in the manner I've explained. -- How to use -- script src=/js/oauth.js?servertime=1252518585 --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Token Request - Authorization Challenge Missing
You can ask Signpost users via http://groups.google.com/group/signpost-users On Sep 7, 7:41 am, Smelly Eddie ollit...@gmail.com wrote: Hello, I am using the signpost twitter example but with Netflix's api. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Signing PUT request
No, the signature base string doesn't contain parameters from the body of a PUT request. There is an extension to protect request bodies. http://oauth.googlecode.com/svn/spec/ext/body_hash/1.0/oauth-bodyhash.html On Sep 15, 8:29 am, Hannes Tydén han...@soundcloud.com wrote: When I do a POST with content type application/x-www-form-urlencoded the request body should be used to form part of the signature base string. Is this also the case for PUT requests? I can't find anything in the specification that says that PUT requests would be treated any differently, but I just want to make sure. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Signing PUT request
You can implement body hashing on top of the Java library, but the library doesn't implement it. On Sep 16, 1:06 pm, Monis monisiq...@gmail.com wrote: Do we have the support for this extension in the oauth java library? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: new to oauth
OAuthAccessor.accessToken should be initialized to null, not (to indicate that the consumer has not yet obtained a valid access token). The example oauth-provider validates requests like this: SampleOAuthProvider.VALIDATOR.validateMessage(requestMessage, accessor); It calls SimpleOAuthValidator.validateSignature, which calls OAuthSignatureMethod.validate, which should call HMAC_SHA1.isValid. On Oct 12, 11:31 pm, Anuradha Thota anuradha.th...@gmail.com wrote: Yes I have seen this example. I do not see signature verification process anywhere.According to http://oauth.net/core/1.0, the Service Provider verifies the request by generating a new request signature octet string, and comparing it to the signature provided by the Consumer. Could you plesae provide help on this? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: new to oauth
The latest core .jar is in http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth/20090825/ HttpRequestMessage and OAuthServlet are in http://oauth.googlecode.com/svn/code/maven/net/oauth/core/oauth-provider/20090531/ SampleOAuthProvider is in the .war file in http://oauth.googlecode.com/svn/code/maven/net/oauth/example/oauth-example-provider/20090105/ These files are in a Maven repository; so you might find it convenient to use Maven to download them and build your software. Source code for each .jar or .war is in the same folder, in a *-sources.jar file. On Oct 20, 10:16 pm, Anuradha Thota anuradha.th...@gmail.com wrote: The jar am currently using is oauth-20090617.jar . i need classes HttpRequestMessage.java,SampleOAuthProvider.java , OAuthServlet.java ,The jar doesnt seem to include these classes. Which jar can i include to get the above classes also. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: (request access token) Should oauth_verifier be in the same place than other oauth_ parameters?
1. Yes, a consumer may send some parameters in a header and others in the body. 2. Yes, oauth_verifier is signed; that is, it's included in the Signature Base String. It sounds like the Ruby/Rails software needs work. On Oct 21, 1:31 am, Florent florentvauce...@gmail.com wrote: 1. Can the consumer send oauth parameters from various places (I understand oauth parameter as being part of the signature) ? 2. Is the oauth_verifier parameter, sent to the provider when requesting an access token, a parameter part of the signature, or just a request parameter? My understanding is that oauth_verifier is a regular oauth parameter, so it's part of the signature, and that all signature should be included in a single place. He tells me that the library he uses (a .net lib) works well with Twitter and Google amongst others. But it won't work with the one I use (Ruby OAuth + Rails OAuth plugin). --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: new to oauth
SimpleOAuthValidator checks nonces, but not very well. See the javadoc for details. For a scalable service provider, you need a database to store nonces that have been used recently. On Oct 21, 11:51 pm, Anuradha Thota anuradha.th...@gmail.com wrote: i need to check the nonce value to see if the incoming request is a valid(unique) one or not. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Server Libraries
There's a sample service provider source code in http://oauth.googlecode.com/svn/code/java/example/oauth-provider/ It has javadoc, but no other documentation. It's a Servlet application. It uses .jars whose source code is in http://oauth.googlecode.com/svn/code/java/core/provider/ and http://oauth.googlecode.com/svn/code/java/core/commons/ These are Maven modules; available from the repository http://oauth.googlecode.com/svn/code/maven This code isn't changing fast. I don't know whether anyone has used it to implement a real service provider. On Oct 26, 7:17 am, Hans Granqvist h...@granqvist.com wrote: Check out http://oauth.net/code --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Question about Access Token
Authorization may depend on the user, as well as the consumer. For example, suppose the service provider has data for each user, and each user may access his own data but not other users' data. So, a consumer acting on behalf of User X may access the data for X but not Y; a consumer acting on behalf of user Y may access the data for Y but not X. The service provider knows a request comes from X or Y because the consumer sends the corresponding access token, either a token associated with user X or a token associated with user Y. On Nov 2, 6:31 am, Melvin Carvalho melvincarva...@gmail.com wrote: I guess my question is: if the Service Provider already knows the Consumer is authorized to access a resource, why does it also need an Access Token? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Problem Reporting Extension: Duplicate OAuth Parameters
Would the addition of a new value help the consumer to resolve problems better? I think any new value should, as a rule. That is, let's not add values that don't help the consumer resolve problems. In this case, an alternative is to send oauth_problem=parameter_rejected and oauth_parameters_rejected. http://oauth.pbworks.com/ProblemReporting --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Problem Reporting Extension: Duplicate OAuth Parameters
Could consumer software recognize oauth_problem=parameter_duplicated, and react by sending another request without duplicate parameters, without bothering the user? That would be good for the user, and thus a good reason to add parameter_duplicated to the repertoire. But I wonder why the consumer wouldn't send a correct request (without duplicates) to begin with. Regarding encoding, an example response body would be oauth_problem=parameter_absent oauth_parameters_absent=oauth_token%26oauth_nonce ... but without the line break. The '' that separates the absent parameter names is percent-encoded to %26 (like any parameter value). A consumer can parse this easily. On Nov 6, 10:03 am, Paul Walker pjwal...@gmail.com wrote: Um, the consumer would resolve the problem by not sending duplicate parameters. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: HTTPS + Plaintext Versus HTTP + HMAC-SHA1
SSL can provide data privacy (with encryption) and assure the user or consumer of the service provider's identity (with certificate-based server authentication). OAuth doesn't do any of this. A mix of HTTP and HTTPS can be used. For example, one could use HTTPS for sending token secrets and sending the user's password to the service provider, and use HTTP for access to protected resources. Of course, the consumer and service provider must agree to these choices. Some service providers support both, leaving the choice up to their consumers. Bear in mind that Twitter doesn't need very strong security, since it doesn't handle money or private information. On Jan 30, 6:26 am, David King da...@1daylater.com wrote: Currently I'm using HMAC-SHA1 over HTTP and have been considering adding in SSL to my app, but am slightly confused as to what is more appropriate. Obviously I'll be losing a *lot* of speed with SSL, and from reading the specification I'm unclear whether it's actually necessary. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: 2-legged OAuth -- why it's great, what it's missing
In theory, a service provider could handle a change of consumer credentials, and continue to accept access tokens that it issued to that consumer previously. But that seems dangerous. If the consumer credentials were revealed to an attacker, it seems likely that access tokens and secrets were also revealed. I assume we're talking about http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html or something similar. On Jan 30, 3:32 pm, John Joseph Bachir johnjosephbac...@gmail.com wrote: Second, here is what 2-legged OAuth is missing from the spirit of OAuth: In three-legged OAuth, the user can revoke the third-party's access to their resources at any time, if they stop trusting the third-party. In two-legged OAuth, if the service fears that they credentials have been compromised, they can change them, but -- if I'm not mistaken -- this results in all of the user tokens being invalidated as well, even though the compromised service creds wouldn't necessarily have results in access to the user creds or resources. In other words: users revoking their OAuth keys for a service does not have annoying side-effects, but a service changing its credentials DOES. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Keep Getting an Unauthorized Exception
Don't add an oauth_token parameter to params. OAuthClient.invoke will do that for you. It's not necessary to set accessor.tokenSecret, if you set the accessToken and tokenSecret. In this case, accessor.tokenSecret should be the secret that the service provider sent with the access token. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: 400 Bad Request?
The oauth_timestamp has no time zone; it's implicitly Universal Time (also known as GMT). But OAuth service providers usually require consumers' clocks to be fairly accurate. You could try implementing your client to adapt to the server's clock. It could look at the Date in the HTTP response headers, or the oauth_acceptable_timestamps in the response body. On Feb 21, 7:38 am, Mark mar...@gmail.com wrote: Hi Vinod, I don't understand this though - the PC requesting the oauth service is just a regular user - I can't expect them to have their timezone set to be the same as the server? The server is using eastern standard time. There must be some way around this issue, otherwise all oauth services would require their client clocks to also be in EST? For example, I can make my timezone anything and it still works with twitter oauth services - so is the twitter service just ignoring this timestamp restriction? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Why must we change temporary credentials for token credentials?
Some service providers put information into the access token, such as the user identity, privileges granted etc. This can help performance and scalability. On Mar 3, 11:42 pm, PK pengk...@gmail.com wrote: Can't the server just upgrade the temporary credentials to token credentials and retain the same key and secret? The client can then start doing authenticated calls right away after the recieving the callback from the server stating that the temporary credentials has been upgraded. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Java OAuth Library and POST Requests Failing Validation
This might give you some helpful information: OAuthResponseMessage response = ... responseCode = response.getHttpResponse().getStatusCode(); if (responseCode != 200) { MapString, Object dump = response.getDump(); System.out.println(dump.get(HttpMessage.REQUEST)); System.out.println(---); System.out.println(dump.get(HttpMessage.RESPONSE)); System.out.println(---); } You can use http://oauth.googlecode.com/svn/code/javascript/example/signature.html to check the signature. On Mar 5, 4:52 pm, thnguyen tsx...@gmail.com wrote: I'm using John Kristian's Java OAuth library and am running into a problem with POST requests. Signature validation is failing for POST requests containing querystring parameters. The requests contains Content-Type: application/xml with an XML payload. When I remove the querystring parameter from the request the signature validation succeeds. Does anyone have any insight on why signature validation fails when adding a querystring parameter? I've pasted my code to test the OAuth protected resource here:http://pastie.org/856701 -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] 2-legged OAuth spec
Where's the latest specification of two-legged OAuth? The last one I saw was http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html But I wonder if there's a newer one. At IETF, perhaps? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: 400/401 Questions
You might find it helpful to add some diagnostic information to the response; for example http://oauth.pbworks.com/ProblemReporting -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: New OAuth java library
The net.oauth library works with LinkedIn. For example: http://bitbucket.org/jmkristian/testoauth/src/tip/src/main/java/net/oauth/example/consumer/LinkedIn.java On Apr 6, 3:32 pm, Pablo Fernandez fernandezpabl...@gmail.com wrote: I've developed a new OAuth library for java that is ... the only one known to work out of the box with LinkedIn's implementation of OAuth. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Java API advice
The net.oauth library is the oldest. It's been used in Shindig, by LinkedIn and some other companies I'm aware of. It works with several HTTP clients: the Java standard HttpURLConnection, and Apache versions 3.x and 4.x. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: oauth_callback parameter not sent to getsatisfaction
You can set the oauth_callback parameter dynamically, like this: OAuthServiceProvider provider = ... // not including oauth_callback String callbackURL = ... String authorizationURL = OAuth.addParameters(provider.userAuthorizationURL, OAuth.OAUTH_CALLBACK, callbackURL); // Next, direct the user's browser to the authorizationURL. On Apr 24, 9:13 pm, vasya10 vasy...@gmail.com wrote: Unfortunately since my callback url is different at different entry points, Im unable to set the oauth_callback url in the authorization url dynamically since OAuthService must be static. Is there an alternative to this issue? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Accepting patch for issue 156
Thank you for the patch. I'll review it this weekend. It's nice to hear you're getting some value from this software. On May 5, 7:32 pm, Matt matt.la...@gmail.com wrote: I opened issue 156 a couple of weeks ago, including a patch to fix the problem. There hasn't been activity on the bug, so I'm not sure if anybody has looked at it. Is there a procedure I should follow to get my issue and patch reviewed, and hopefully accepted into the mainline OAuth Java library? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: % character in OAuth request token
The OAuth spec doesn't require tokens to be URL-safe. It's nice if they are, but it's not required. Tokens (and other parameters) from the service provider are percent encoded. See http://tools.ietf.org/html/rfc5849#section-2.1 and http://tools.ietf.org/html/rfc5849#section-2.3 Request parameters must also be percent encoded. See http://tools.ietf.org/html/rfc5849#section-3.5 -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: SimpleGeo requests returning 401 Unauthorized
Several implementations of OAuth in Python already exist. It would probably help to use one, or at least look at its source code. For examples see http://oauth.net/code/ I'm not familiar with Python, but it looks like the code above fails to percent encode values in several places, and fails to include the oauth_ parameters in the signature base string (when computing the HMAC-SHA1 signature). I'm not sure whether the parameters are sorted correctly. A GET request should not have a Content-Type header, I think. application/x-www-form-urlencode is misspelled; it should be urlencoded (with a 'd' at the end). -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Java Examples
I assume you used Maven to build a .war from http://oauth.googlecode.com/svn/code/java/example/oauth-provider Perhaps you didn't deploy the .war to /OAuthProviderEKM. To check, direct your browser to http://localhost:8080/OAuthProviderEKM/ If the .war was deployed correctly, you'll see a page saying 'Check out readme file for more information.' Perhaps you didn't include query string parameters in the request. AuthorizationServlet requires oauth_token and oauth_callback parameters; for example http://localhost:8080/OAuthProviderEKM/authorize?oauth_token=blahblahblahoauth_callback=http... The oauth_token must have been returned from a recent request to http://localhost:8080/OAuthProviderEKM/request_token -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Java library enhancement for OAuth 2.0 provider
Please don't make any changes that are incompatible with existing applications of the net.oauth library. Since OAuth 1 and OAuth 2 use conflicting terminology, I recommend creating a new package net.oauth.v2. For example, you can create the class net.oauth.v2.OAuthClient, with minimal confusion with the existing net.oauth.OAuthClient. I haven't thought about it much, but I suspect it might be best to create an entirely new API for OAuth 2. I don't see much overlap with OAuth 1. What has been the experience of people who have implemented OAuth 2? Does a combined API make sense? -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: What's in an access token?
It's vendor specific. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: Maven repo?
The only one I know is http://oauth.googlecode.com/svn/code/maven -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.