Hi John,
I have a quick question about the Problem Reporting Extension regarding
the parameter_absent problem. The spec says that missing parameters
should be listed in the oauth_parameter_absent parameter, using to
separate multiple parameters.
Would it make more sense to use commas to
So how does this 3rd party server authenticate your widget? What's to
stop someone from reverse engineering the protocol and requesting your
CK/Secret?
We believe that it is impossible to safeguard any secrets embedded in
downloadable client applications. Someone with a debugger and some
to say it. - Voltaire
On Mon, Apr 6, 2009 at 8:42 PM, Allen Tom a...@yahoo-inc.com
mailto:a...@yahoo-inc.com wrote:
Andrew Arnott wrote:
Thanks. Incidentally, the grief I have with Facebook is that I have
to visit Facebook in order to pick up my mail which may just
OpenID already has a standardized way to get the user's profile data
(name, avatar image, email address) via SREG/AX without having to write
any vendor-specific code. There's no equivalent to do this in OAuth,
although PoCo will eventually take care of this, once discovery is
implemented.
I
The HTTP Referrer check won't work if the Consumer's domain is a social
networking site, and the attacker posted the authorization link to the
victim's wall.
Allen
Manger, James H wrote:
A (temporary) fix might be for Service Providers to check the HTTP
Referer request header when Users
Actually, I was going to go too, but I didn't RSVP.
Allen
Gilles Devaux wrote:
Do you plan to postpone it?
I did not realize I had to respond and was going to show up.
--Gilles
On Mon, Apr 27, 2009 at 11:32 PM, Chris Messina chris.mess...@gmail.com
wrote:
:(
Seems like 5 people
We either need an explicit string for the null callback, or we need to
increment the version number, because the SP needs a way to determine
which OAuth dialect the consumer is speaking as early on in the dance as
possible.
I believe that it's more pain than its worth to increment the version
Hi Stephen,
Thanks for pointing this out. It might not be sufficient to deploy only
Framebusting JS on the approval screens, as the attacker can disable JS
for the iframe in IE by setting the security attribute to restricted
http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx
SPs
is no 100% solution.
Stephen Sclafani
On May 4, 4:15 pm, Allen Tom a...@yahoo-inc.com
mailto:a...@yahoo-inc.com wrote:
Hi Stephen,
Thanks for pointing this out. It might not be sufficient to
deploy only
Framebusting JS on the approval screens
, which is actually noted in the OAuth spec, is that by
conditioning users to enter their credentials each time they are
redirected from a Consumer site you run the risk of increasing the
potential of phishing attacks. Something to consider.
Stephen Sclafani
On May 6, 12:45 am, Allen Tom
Does the OpenID Hybrid Protocol need to be amended to mention that
Hybrid should not use auto-approval for OAuth tokens?
Allen
Brian Eaton wrote:
Automatic Repeat Approvals
Some service providers may wish to automatically approve OAuth access
requests from consumers who the user has
Hi James,
Yahoo has been researching ways to improve the redirect UX for both
OAuth and OpenID, and we've found that the popup UX is a pretty big
improvement, with a much higher success rate compared to the redirect UX.
Descriptions and screenshots are here:
James Wanga wrote:
What Yahoo has
done works well for the web but it does not address mobile and
browserless device use cases.
Using OAuth with browserless devices is challenging, and perhaps it's
more realistic to provide an API that allows the device to exchange the
username/password for
Hi Blaine,
The auth experience for the Flickr iPhone app is exactly the right way
to do things. No one would be happier than me if all mobile apps used an
Auth UX like the Flickr iphone app.
Unfortunately, we have business partners which explicitly are writing
into their contracts that they
Sunir Shah wrote:
I have a stupid question.
This is a great question.
When I hit the authorization page, Flickr
claims it is a trusted Yahoo! application. How does Flickr know that?
Is it relying on the consumer key and secret? My impression is that
those could be compromised in a
Adam Venturella wrote:
My understanding is that you do not want to even prompt the user for
their username and password. Effectively you want to set up a, as
mentioned before, valet credential system. It's not the real key,
just enough to make the car go.
Have you looked into
beckett wrote:
But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely
no idea if its REALLY PLAXO at the other end. It is trivial for any
site to get user to give up data. In which case you might as well not
use OAUTH and just make your data publicly available period. So I
Yes, I agree, the wording could be rephrased to indicate that the
Consumer's credentials (the consumer secret) as well as the user
credentials Access Token (and access token secret) are not protected
when using PLAINTEXT without HTTPS.
Allen
beckett wrote:
Also, I wonder if in the
Pelle Braendgaard wrote:
It just happens
that due to Yahoo probably being the oldest company involved in the
process, it is having the hardest time dealing with the concept of
open.
Hi Pelle,
Just to reiterate Eran's followup, Yahoo has been engaged in OAuth from
nearly the beginning.
Hi Robert,
The text in the Yahoo documentation is not factually correct - however
it doesn't really matter for client developers who are calling our OAuth
protected services.
We currently do not allow developers to change the scopes for their
consumer keys after we've issued them. The slang
On Thu, Oct 15, 2009 at 3:17 PM, Allen Tom a...@yahoo-inc.com wrote:
Robert Winch wrote:
I would like to leverage OAuth without having to hit a database to
validate each request. In addition, I would like to avoid using public
key's
since the performance is slower and distribution
This would make sense for the case where a rich client application
voluntarily exchanges the username/password for a persistent token
credential.
Allen
John Panzer wrote:
A feature I'd also like to have as a consumer is the reverse operation
- starting with a broad scope for initial setup,
Hi Robert,
This is actually a very good question. One possible approach would be
for the Consumer obtain a 2 legged Access Token by submitting its
Consumer Key and Secret (or signature) to the SP's authentication
service. The auth service will return a 2 legged access token (and
access token
to remove the restriction on the access token?
Thanks in advance,
Rob
On Sun, Nov 1, 2009 at 11:34 PM, Allen Tom a...@yahoo-inc.com wrote:
Hi Robert,
This is actually a very good question. One possible approach would be for the
Consumer obtain a 2 legged Access Token by submitting its Consumer
If you just want to authenticate Google users and get their name and email
address, then you should consider using OpenID
http://code.google.com/apis/accounts/docs/OpenID.html
Allen
On 12/3/09 3:24 PM, File4Share cahit.eyigu...@gmail.com wrote:
How could i get the logged user info on google
Hi there -
Unfortunately, none of the Yahoo Social APIs support HTTPS. Try again using
HTTP. Did you see HTTPS referenced anywhere in the docs? The Yahoo Contacts
API is documented here:
http://developer.yahoo.com/social/rest_api_guide/contact_api.html
With regards to accessing Yahoo OAuth
This is one of the reasons why we simplified signatures in WRAP. Yahoo and
other Service Providers have architectures where incoming requests are
proxied and forwarded the public facing hostname and even the path that¹s
exposed to the consumer can be very different than the origin server ends up
Perhaps a Googler can jump in on this Google allows Oauth apps to use
³anonymous² as their consumer key, with ³anonymous² as their consumer
secret. These apps do not need to pre-register for a consumer key.
See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous²
consumer key:
need to create consumer key/secret for each request or
the token only?
What do you think?
Regards,
Matus
On Feb 22, 2:50 am, Allen Tom a...@yahoo-inc.com wrote:
Perhaps a Googler can jump in on this Google allows Oauth apps to use
³anonymous² as their consumer key, with ³anonymous
29 matches
Mail list logo