Deep in another OpeNID thread I suggested part of this idea, but I've
expanded on that idea in my head and think it deserves its own thread
besides to *get some feedback from you*.
First the problems:
- Email verification is a step many web sites have to take the user
through in order to
One more benefit of this system: The RP has no idea who you are (unless you
tell it by other means). It can push messages to the user by POSTing to an
SP's URL that is the same for all users, and the SP only knows which user is
the recipient by the OAuth token. Thus, the RP cannot correlate
Comments inline...
Andrew Arnott wrote:
Deep in another OpeNID thread I suggested part of this idea, but I've
expanded on that idea in my head and think it deserves its own thread
besides to *get some feedback from you*.
First the problems:
* Email verification is a step many web
I have a working OAuth consumer against Google's SP when using HMAC-SHA1,
but when I switch to RSA-SHA1, all requests still work until I request
access to a protected resource using the access token. It's probably how
I'm signing the message with the private key in the x509 certificate. I
don't
That depends, Paul. Yes, it certainly means that multiple RPs can't
correlate a user's activities. But if I visit the site once, establish a
relationship and then terminate it by revoking my OAuth token, and then
visit that site again and re-establish its ability to contact me, a new
OAuth token
Hi Allen,
Thanks. Incidentally, the grief I have with Facebook is that I have to
visit Facebook in order to pick up my mail which may just be a poke or
prod. *grumble* But yes, I'd like to see us provide a general solution.
And my personal queuing SP of choice would likely be one that sends
Yep, not used.
http://oauth.googlecode.com/svn/spec/core/unofficial/1.0ec/drafts/1/spec.html#anchor10
EHL
On 4/6/09 8:02 PM, Andrew Arnott andrewarn...@gmail.com wrote:
I have a working OAuth consumer against Google's SP when using HMAC-SHA1, but
when I switch to RSA-SHA1, all requests still
True. This is a model I thought of a while back, when some credit cards
started generating one-time-use credit card numbers for use when shopping
online. I think this has a much higher chance of working for people,
although it doesn't at all solve the problem of RP's needing to send the
user
Currently, Google OpenID users can be exempted from Email verification
when the Google OP returns an @gmail.com address, because the Google OP
will only return the @gmail.com address that is tied to the Google Account.
If we generalize this, if the RP trusts the user's email provider to
always
Thanks, Eran. Then obviously my first three requests are being signed
correctly since Google is accepting them (and tampering with the signature
causes Google to reject them), but when I actually try to pull the Gmail
address book, which works when using HMAC-SHA1, I'm getting a 401 with only
10 matches
Mail list logo
