Our OAuth-based sign-in and API-using service is up: https://tools.povo.com/Profile/Signin/
Noticed another thing - Twitter isn't sending screen_name on the redirect anymore. On Apr 24, 1:33 pm, djMax <[email protected]> wrote: > This is a nifty idea, I assume it's going to break when the user has > to do something other than click "Allow" right? e.g. login... > > On Apr 24, 10:47 am, Shannon Whitley <[email protected]> > wrote: > > > Thanks for all your hard work, Matt. > > > In one of my solutions, I am getting around the absence of the > > oauth_callback by using the referrer. I know referrer is unreliable, > > but I'm going with it for now. When the call comes back from the > > authorize page, the referrer still contains the information that I > > sent in the oauth_callback. > > > Additionally, if we need to setup dummy applications for testing, I'd > > like to request that localhost and ports be allowed on the > > registration page in the callback field. > > > On Apr 23, 1:41 pm, Matt Sanford <[email protected]> wrote: > > > > Hi Everybody! (Dr. Nick voice) > > > > OAuth is once again live, and as described below the > > > oauth_callback has been disabled. I've begun testing the replacement > > > options for oauth_callback and will hopefully get something out soon > > > to replace it. In the mean time successful authorization or > > > authentication will send the user to your pre-registered callback URL. > > > > Thanks; > > > – Matt Sanford / @mzsanford > > > Twitter API Developer > > > > On Apr 23, 2009, at 07:59 AM, Matt Sanford wrote: > > > > > Hi all, > > > > > We had to wait for the midnight deadline before giving too many > > > > details because we're taking a slightly more active approach. The > > > > code for these changes was scheduled to go out yesterday but there > > > > was a problem with some unrelated changes and the whole thing was > > > > rolled back. I'm hoping to get it out early today as an emergency > > > > deploy. If anyone has missed it, Eran posted a good explanation [1] > > > > for people not digging the security advisory wording. > > > > While I'm still working to get the changes out here is what you > > > > can expect: > > > > > 1. The lifetime of a Request Token is now much, much shorter. This > > > > new time limit should be long enough for a person to complete the > > > > flow, but short enough that it cuts off attacks. > > > > » Note this is for request tokens, not access tokens. > > > > > 2. For the time being the oauth_callback parameter will be disabled > > > > for both authentication and authorization. The user will be sent to > > > > the application callback in both cases. > > > > » I'm working with the other OAuth implementers on a way to > > > > bring it back, and Eran mentions it a bit at the end of his post > > > > [1]. We want to make sure it works correctly before launching it so > > > > you don't end up spending time to implement something we then have > > > > to turn off. > > > > > As for questions about the severity of Twitter's initial > > > > response I think you'll find Yahoo! [2] has done the same. From the > > > > OAuth response mails I can assure you there were others as well but > > > > since they have no public mention of it I'll let them go unmolested. > > > > It wasn't just Twitter, that was just the only place you were > > > > looking :) > > > > > Thanks; > > > > — Matt Sanford, "of Alex and Doug fame" > > > > > [1] > > > > -http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-ses... > > > > [2] -http://developer.yahoo.net/blog/archives/2009/04/oauth_update.html > > > > > On Apr 23, 2009, at 06:25 AM, mikehar wrote: > > > > >> Totally agree with Pierre. I think we all understand the security > > > >> issue. Why was twitter's approach so much more severe than other > > > >> services? Why not just a warning on login? Can Doug or Alex shed some > > > >> light on this? > > > > >> wrt the ETA, can we get an update? One blog post said yesterday, the > > > >> posting on this site says today. > > > > >> Also, I'm a little taken aback by the "it's beta" rationalization for > > > >> the massive disruption in service. It's one thing to mark it as > > > >> public > > > >> beta, it's another thing entirely to define 'beta' belatedly as "not > > > >> suitable for production use". Does that mean we get an SLA on the > > > >> non- > > > >> beta APIs? > > > > >> On Apr 23, 1:44 am, twitscoop <[email protected]> wrote: > > > >>> Hi guys, is there an ETA for it to be restored ? It seems Oauth's > > > >>> recommended approach is to simply add a warning notice on > > > >>> authorization until this is fixed (this is what Google did). > > > >>> Anyways, > > > >>> even with this security flow, oauth is safer than providing twitter > > > >>> credentials to third parties... > > > > >>> Thanks! > > > >>> Pierre > > > > >>> On Apr 23, 7:30 am, Doug Williams <[email protected]> wrote: > > > > >>>> Bill, > > > >>>> The majority of our developers find OAuth sufficient because they > > > >>>> are > > > >>>> writing a Web applications. We are pleased that the deprecation > > > >>>> of the > > > >>>> source parameter lowered our support load and continues to drive > > > >>>> adoption of > > > >>>> our preferred authentication scheme. > > > > >>>> There are of course other cases where developers find the current > > > >>>> implementation's beta status or browser requirement concerning. I > > > >>>> have yet > > > >>>> to reject a source parameter request that provides a valid argument > > > >>>> explaining why OAuth does not meet the application's needs. > > > > >>>> Thanks, > > > >>>> Doug Williams > > > >>>> Twitter API Supporthttp://twitter.com/dougw > > > > >>>> On Wed, Apr 22, 2009 at 6:50 PM, Bill Robertson > > > >>>> <[email protected]>wrote: > > > > >>>>> I respectfully disagree. (I would colorfully disagree, but you > > > >>>>> seem > > > >>>>> pretty beat up right now and you don't deserve any guff) I think > > > >>>>> developers of smaller apps see that little tag-line as a good > > > >>>>> source > > > >>>>> of advertising, and it seems inaccessible now if you're new > > > >>>>> (right? > > > >>>>> wrong?). You can only get it if you use OAuth, but OAuth is now > > > >>>>> disabled? > > > > >>>>> Anyway, just my $0.02. Prioritize it like everything else you > > > >>>>> need to > > > >>>>> do (i.e. it's the 37th #1 thing on your list.) > > > > >>>>> Good luck. > > > > >>>>> On Apr 22, 7:58 pm, Alex Payne <[email protected]> wrote: > > > >>>>>> We don't consider source registration a "key feature". It's an > > > >>>>>> incentive we provide to our developers. We wanted to encourage > > > >>>>>> new > > > >>>>>> developers to look into OAuth. It won't be in beta forever, > > > >>>>>> after all. > > > > >>>>>> We have to balance the reality of testing a new technology in our > > > >>>>>> stack with encouraging that technology's adoption. OAuth will > > > >>>>>> provide > > > >>>>>> the Twitter developer community with a number of benefits, and > > > >>>>>> that's > > > >>>>>> the direction in which we want to move, even while there are > > > >>>>>> kinks to > > > >>>>>> work out. > > > > >>>>>> On Wed, Apr 22, 2009 at 15:37, bwannon <[email protected]> wrote: > > > > >>>>>>> If beta for you guys means "still in testing, not suitable for > > > >>>>>>> production use", then why depreciate key features from basic > > > >>>>>>> auth like > > > >>>>>>> source registration before you have a production ready release? > > > > >>>>>>> On Apr 22, 3:27 pm, Alex Payne <[email protected]> wrote: > > > >>>>>>>>http://blog.twitter.com/2009/04/whats-deal-with-oauth.html > > > > >>>>>>>> In short: there's a security issue with OAuth, and the major > > > >>>>>>>> OAuth > > > >>>>>>>> providers are working together to patch the vulnerability > > > >>>>>>>> before > > > >>>>>>>> information about the issue is publicly released. That > > > >>>>>>>> information > > > >>>>>>>> will be available athttp://oauth.net/atmidnight, PST. > > > > >>>>>>>> In cooperation with this consortium of other OAuth providers > > > >>>>>>>> (including Yahoo!, Google, Netflix, etc.), we agreed not to > > > >>>>>>>> disclose > > > >>>>>>>> the nature of the vulnerability, nor even that a vulnerability > > > >>>>>>>> existed, until all members of the group agreed to do so. I > > > >>>>>>>> apologize > > > >>>>>>>> for what must have seemed unnecessarily tight-lipped > > > >>>>>>>> communication > > > >>>>>>>> around this issue, but please understand that we and the other > > > >>>>>>>> companies involved are trying to mitigate the impact of this > > > >>>>>>>> vulnerability as much as possible. > > > > >>>>>>>> Please also note that our OAuth support is in beta, albeit > > > >>>>>>>> public > > > >>>>>>>> beta. We have not suggested to developers that they rely > > > >>>>>>>> solely on > > > >>>>>>>> OAuth until our support of the standard leaves beta. I know > > > >>>>>>>> that some > > > >>>>>>>> companies practice a policy of "perpetual beta", but at > > > >>>>>>>> Twitter, we do > > > >>>>>>>> not. For us, "beta" really means "still in testing, not > > > >>>>>>>> suitable for > > > >>>>>>>> production use". > > > > >>>>>>>> Thanks for your patience and understanding. > > > > >>>>>>>> -- > > > >>>>>>>> Alex Payne - API Lead, Twitter, Inc.http://twitter.com/al3x > > > > >>>>>> -- > > > >>>>>> Alex Payne - API Lead, Twitter, Inc.http://twitter.com/al3x- > > > >>>>>> Hide quoted text - > > > > >>>> - Show quoted text -- Hide quoted text - > > > > - Show quoted text -
