Re: [twitter-dev] Transitioning from Basic Auth to OAuth Guide (need your help!)
Thanks for the tips, Andrew! Your suggestions to Apple on secret management seems like a great idea. We'll keep that on our radar. Taylor On Fri, Jun 25, 2010 at 2:57 PM, Andrew W. Donoho andrew.don...@gmail.comwrote: On Jun 25, 2010, at 15:42 , Taylor Singletary wrote: However, we'd love to collect together specific implementation stories of developers who've successfully made the transition and highlight them here. Taylor et. al., As someone with his own custom iPhone REST stack, I scaled the OAuth/xAuth wall. In my view, everyone made this transition seem much tougher than it really is. Here's my advice: 0) If you don't have a REST stack, git one! There are many out there. I started with one. (Very little of it remains in my apps but that is another matter. It got me started.) 1) Your http request tends to change in exactly one place -- setting your authorization header. Don't freak out about changing your code base. I added 3 methods to my stack: create a signature string, sign the signature string and create the OAuth header. I changed one method to sort and URL encode my parameters. In all, this is a pretty minimal change. I cribbed much of this from other open source implementations. 1a) Calculating a signature string is not as daunting as it looks. Some pseudo code would have helped. Twitter's recent documentation helped. 1b) Calculating HMAC-SHA1 signature is simple too. If you use the common crypto library (CDSA derived), it takes 6 lines. 1c) What wasn't too clear was how the xAuth process interacted with your tokens. (Yes, I knew they were missing. What wasn't apparent was that I had to leave the conjoining '' in the signature secret.) 2) The WWDC slides sum up most of the issues but leave out the supporting nitty gritty code. Finally, we all know that xAuth has a huge security hole -- the embedded consumer secret in the client app. I have a feature request into Apple to allow the passing of encrypted secrets to native applications through App Store binary code. I have also posted it to OpenRadar at this link: http://openradar.appspot.com/8109678. If members of this community agree that we need a solution to this problem, then please consider filing enhancement requests with Apple via bugreporter and reference my request. (If someone else has a similar request, I'll be happy to reference their request in my communications with Apple.) Anon, Andrew Andrew W. Donoho Donoho Design Group, L.L.C. a...@ddg.com, +1 (512) 750-7596 We did not come to fear the future. We came here to shape it. -- President Barack Obama, Sept. 2009
[twitter-dev] Transitioning from Basic Auth to OAuth Guide (need your help!)
Hi Everyone, We've started putting together a document that goes through many of the things developers need to know about transitioning from Basic Auth to OAuth (as opposed to coming to OAuth without having the history of basic auth behind them). You can find this guide here: http://bit.ly/anYWSC We're not done yet, and we'd love to hear your suggestions on additions that could be made to this document, especially if you've made the conversion yourself and learned some hard lessons along the way. The document does not go into any specific code implementations, as the conversion process is very dependent on the particularities of the programming languages, libraries, and coding styles that pre-exist for the developer. However, we'd love to collect together specific implementation stories of developers who've successfully made the transition and highlight them here. Do you have something you'd like to add? Respond to this thread! Thanks everyone, Taylor Singletary http://twitter.com/episod
Re: [twitter-dev] Transitioning from Basic Auth to OAuth Guide (need your help!)
On Jun 25, 2010, at 15:42 , Taylor Singletary wrote: However, we'd love to collect together specific implementation stories of developers who've successfully made the transition and highlight them here. Taylor et. al., As someone with his own custom iPhone REST stack, I scaled the OAuth/xAuth wall. In my view, everyone made this transition seem much tougher than it really is. Here's my advice: 0) If you don't have a REST stack, git one! There are many out there. I started with one. (Very little of it remains in my apps but that is another matter. It got me started.) 1) Your http request tends to change in exactly one place -- setting your authorization header. Don't freak out about changing your code base. I added 3 methods to my stack: create a signature string, sign the signature string and create the OAuth header. I changed one method to sort and URL encode my parameters. In all, this is a pretty minimal change. I cribbed much of this from other open source implementations. 1a) Calculating a signature string is not as daunting as it looks. Some pseudo code would have helped. Twitter's recent documentation helped. 1b) Calculating HMAC-SHA1 signature is simple too. If you use the common crypto library (CDSA derived), it takes 6 lines. 1c) What wasn't too clear was how the xAuth process interacted with your tokens. (Yes, I knew they were missing. What wasn't apparent was that I had to leave the conjoining '' in the signature secret.) 2) The WWDC slides sum up most of the issues but leave out the supporting nitty gritty code. Finally, we all know that xAuth has a huge security hole -- the embedded consumer secret in the client app. I have a feature request into Apple to allow the passing of encrypted secrets to native applications through App Store binary code. I have also posted it to OpenRadar at this link: http://openradar.appspot.com/8109678. If members of this community agree that we need a solution to this problem, then please consider filing enhancement requests with Apple via bugreporter and reference my request. (If someone else has a similar request, I'll be happy to reference their request in my communications with Apple.) Anon, Andrew Andrew W. Donoho Donoho Design Group, L.L.C. a...@ddg.com, +1 (512) 750-7596 We did not come to fear the future. We came here to shape it. -- President Barack Obama, Sept. 2009
