Chris,

I too thought that one should call verify credentials with Oauth. How
are you suggesting we verify that the token is still active, another
call to oauth_authenicate/authorize?

Thanks

-Bob

On Thu, Aug 6, 2009 at 7:51 AM, Chris Babcock<cbabc...@kolonelpanic.org> wrote:
>
>
>
> On Aug 5, 10:15 pm, Jesse Stay <jesses...@gmail.com> wrote:
>> On Wed, Aug 5, 2009 at 3:04 AM, Chris Babcock 
>> <cbabc...@kolonelpanic.com>wrote:
>>
>>
>>
>> > I would strongly recommend OAuth for verifying users, or at least
>> > making it an option, as there is a DoS attack possible against service
>> > providers who rely on this API for access to their app.
>>
>> > Chris Babcock
>>
>> I'm not sure how OAuth helps, as the problem still exists, even with OAuth
>> users.  Even with OAuth, it is still 15 requests per user per hour on
>> verify_credentials.  Of course, you probably don't have to run
>> verify_credentials as often with OAuth, but the problem still exists, and
>> there are cases where I can see this could become an issue.
>>
>> Jesse
>
> No, you *never* use verify_credentials with OAuth because you never
> handle user passwords.
>
> Take for example those users whose accounts are being slammed by
> SpamBots. They can still log into Twitter, just not those services
> that rely on verify_credentials service. Because they can still log in
> on the Twitter site, they could still authorize OAuth tokens. You will
> know that they have valid credentials on Twitter if the token has been
> authorized when they return to your site. It's not necessary for your
> app to obtain and verify the credentials directly. Your app can
> completely bypass the rate limited service with its DoS potential.
>
> Chris Babcock
>
>

Reply via email to