[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Hi Raffi, I've sent an eMail to a...@twitter.com requesting permission to use xAuth in my S60 Twitter Client Gravity. Just curious if there's any ETA for granting access to xAuth and/or providing documentation. Many thanks in advance, Ole -- Jan Ole Suhr s...@mobileways.de On Twitter: http://twitter.com/janole On 12 Feb., 16:16, Raffi Krikorian ra...@twitter.com wrote: what i would do (with that caveat that i'm speaking as myself and not necessarily as a twitter employee ;P): make a proxy that uses xauth - you could still ask for a username/password, use xauth to do the exchange with twitter, and then proxy the basic auth to oauth. the caveat is that i stated that xauth will not be allowed for web applications, but i can think of a few creative ways around that. alternatively, assuming that your proxy can still see twitter.com (it is positioned somewhere where the DNS isn't poisoned), then there is nothing preventing that proxy from doing the oauth web workflow on behalf of the user. definitely not kosher, and may not scale... On Fri, Feb 12, 2010 at 3:40 AM, yegle cnye...@gmail.com wrote: I read the WRAP draft. I have to say that it's much simpler than OAuth 1.0a. It doesn't need too much modification to twitter client to support API proxy, if xauth is widely available. Thank you all for your replies and concerns :-) On Feb 12, 7:04 pm, yegle cnye...@gmail.com wrote: Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com -- Raffi Krikorian Twitter Platform Teamhttp://twitter.com/raffi
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
oauth. the caveat is that i stated that xauth will not be allowed for web applications, but i can think of a few creative ways around that. Raffi, I assume that would be as a general rule for day-to-day operations of web apps. But, for web apps you are still going to allow the one-time bulk conversion of existing users with xauth, correct?
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
But, for web apps you are still going to allow the one-time bulk conversion of existing users with xauth, correct? yes. -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
understood, but, right now, not in the plan. web apps will have to use the standard oauth workflow. On Tue, Feb 16, 2010 at 11:29 AM, Dewald Pretorius dpr...@gmail.com wrote: Actually, this whole Chinese user issue affects web apps as well. Because, with OAuth, any Chinese user (or any user whose company blocks Twitter.com) cannot use the web app or add the Twitter account to a web app that uses OAuth. So, web apps should have the option of offering their users the xauth path. On Feb 16, 3:24 pm, Dewald Pretorius dpr...@gmail.com wrote: oauth. the caveat is that i stated that xauth will not be allowed for web applications, but i can think of a few creative ways around that. Raffi, I assume that would be as a general rule for day-to-day operations of web apps. But, for web apps you are still going to allow the one-time bulk conversion of existing users with xauth, correct? -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
There is no detailed information about xauth right now, but the WRAP specification did allow to fetch access token using username/password, that makes a proxy script possible.I think this is xauth about: get access token using username/password and then do the rest things using oauth. I'm still waiting for the approval of my request to try xauth, maybe I can figure out how to do this when I can try xauth myself :-) On Feb 12, 5:40 pm, Jesse Stay jesses...@gmail.com wrote: On Fri, Feb 12, 2010 at 2:40 AM, Brian Smith br...@briansmith.org wrote: yegle wrote: Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. Read Raffi's post from a few hours ago entitled What's up with OAuth? where he describes xAuth. Also, look at the OAuth WRAP draft specification, which defines something very similar to xAuth. In the (near) future, Twitter-approved applications will be able to get OAuth authorized with just the user's username and password, without forcing the user to visit the Twitter website. After they are authorized, they can proxy their requests like before. The proxies will undoubtedly need to be modified, but the modifications will not be too bad. Brian, I thought that was the case originally, but after reading his latest draft, I'm thinking the opposite may be the case. I think xAuth requires all users to go through the Twitter website, but applications wanting to transfer authority to another application or website (via an API) will be able to make calls on behalf of those applications. In order for application-to-application transfer to occur though, I think users still have to go through the Twitter website to log in. Then an application can take that user's token, pass it onto the other application, and the other application can get permission from Twitter to make calls on behalf of that user. No usernames or passwords are passed in this method, if I understand it correctly. Raffi, please correct me if I'm wrong. If that's not the case, there is still a major concern for phishing. I'm not sure what the answer is here - it's China or phishing, tough decision. Jesse
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
I read the WRAP draft. I have to say that it's much simpler than OAuth 1.0a. It doesn't need too much modification to twitter client to support API proxy, if xauth is widely available. Thank you all for your replies and concerns :-) On Feb 12, 7:04 pm, yegle cnye...@gmail.com wrote: Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
what i would do (with that caveat that i'm speaking as myself and not necessarily as a twitter employee ;P): make a proxy that uses xauth - you could still ask for a username/password, use xauth to do the exchange with twitter, and then proxy the basic auth to oauth. the caveat is that i stated that xauth will not be allowed for web applications, but i can think of a few creative ways around that. alternatively, assuming that your proxy can still see twitter.com (it is positioned somewhere where the DNS isn't poisoned), then there is nothing preventing that proxy from doing the oauth web workflow on behalf of the user. definitely not kosher, and may not scale... On Fri, Feb 12, 2010 at 3:40 AM, yegle cnye...@gmail.com wrote: I read the WRAP draft. I have to say that it's much simpler than OAuth 1.0a. It doesn't need too much modification to twitter client to support API proxy, if xauth is widely available. Thank you all for your replies and concerns :-) On Feb 12, 7:04 pm, yegle cnye...@gmail.com wrote: Oh yes I forgot that HTTP proxy resolves the domain name at server side :-) On Feb 12, 6:18 pm, Harshad RJ harshad...@gmail.com wrote: On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Oh btw, I meant HTTPS proxies that sit outside the firewall. I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol) -- Harshad RJhttp://hrj.wikidot.com -- Raffi Krikorian Twitter Platform Team http://twitter.com/raffi
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Yes, but not all clients support HTTPS proxy, especially mobile clients. On Feb 12, 1:39 pm, Harshad RJ harshad...@gmail.com wrote: Wouldn't a regular HTTPS proxy be sufficient? On Fri, Feb 12, 2010 at 11:00 AM, yegle cnye...@gmail.com wrote: Hi all, This could be a long email. I read Raffi's post today,the original post is here: https://groups.google.com/group/twitter-development-talk/browse_threa... I think the abandon of HTTP basic auth would be a disaster for all Chinese twitter users. The gov of China runs a big censorship system called GFW. Wikipedia gives more information about GFW here: http://en.wikipedia.org/wiki/Golden_Shield_Project GFW blocked many websites like facebook, twitter, youtube, plurk and so on. So how does Chinese users post tweets from twitter client? We uses Twitter API proxy. A twitter API proxy is a simple script which redirect all POST and GET request it received to twitter.com. These scripts are written in PHP or Python, so it can be set up on virtual host outside China or on GAE. Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. -- Harshad RJhttp://hrj.wikidot.com
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Made me realise that my app (tDash) should be using HTTPS for all API calls. Just made a new release now. Hoping that helps users behind a firewall. On Fri, Feb 12, 2010 at 11:12 AM, yegle cnye...@gmail.com wrote: Yes, but not all clients support HTTPS proxy, especially mobile clients. On Feb 12, 1:39 pm, Harshad RJ harshad...@gmail.com wrote: Wouldn't a regular HTTPS proxy be sufficient? -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Anyway, HTTPS should be enabled or at least provide an option :-) On Feb 12, 2:38 pm, Harshad RJ harshad...@gmail.com wrote: Made me realise that my app (tDash) should be using HTTPS for all API calls. Just made a new release now. Hoping that helps users behind a firewall. On Fri, Feb 12, 2010 at 11:12 AM, yegle cnye...@gmail.com wrote: Yes, but not all clients support HTTPS proxy, especially mobile clients. On Feb 12, 1:39 pm, Harshad RJ harshad...@gmail.com wrote: Wouldn't a regular HTTPS proxy be sufficient? -- Harshad RJhttp://hrj.wikidot.com
Re: [twitter-dev] Re: OAuth:a disaster for Chinese twitter users
On Fri, Feb 12, 2010 at 12:17 PM, yegle cnye...@gmail.com wrote: Nope, it doesn't work :-( All DNS queries to twitter.com inside China is poisoned and all twitter's available IP is blocked. Ah, I hadn't implemented for the OAuth authorization page. Just done. (Sorry for the spam, list. Last mail on the topic) -- Harshad RJ http://hrj.wikidot.com
[twitter-dev] Re: OAuth:a disaster for Chinese twitter users
Hi Brian, Thank you, I just noticed the new OAuth specification. I'll read the specification first and see if there is any workaround available :-) On Feb 12, 5:40 pm, Brian Smith br...@briansmith.org wrote: yegle wrote: Basically, a API proxy script works as a middleman between twitter and twitter client, little like man-in-the-middle attack.It's possible to do this if the authentication is made in HTTP basic auth.But there is no way to do the same thing with OAuth. The base string of an OAuth request contains the domain of the HTTP request, so all client developers modify their code if they want to suite the need of API proxy. This is really a disaster for all Chinese twitter users. Read Raffi's post from a few hours ago entitled What's up with OAuth? where he describes xAuth. Also, look at the OAuth WRAP draft specification, which defines something very similar to xAuth. In the (near) future, Twitter-approved applications will be able to get OAuth authorized with just the user's username and password, without forcing the user to visit the Twitter website. After they are authorized, they can proxy their requests like before. The proxies will undoubtedly need to be modified, but the modifications will not be too bad. - Brian
