What Robert said.  You still need to verify.

On Thu, Aug 6, 2009 at 12:01 PM, Robert Fishel <bobfis...@gmail.com> wrote:

>
> Chris,
>
> I too thought that one should call verify credentials with Oauth. How
> are you suggesting we verify that the token is still active, another
> call to oauth_authenicate/authorize?
>
> Thanks
>
> -Bob
>
> On Thu, Aug 6, 2009 at 7:51 AM, Chris Babcock<cbabc...@kolonelpanic.org>
> wrote:
> >
> >
> >
> > On Aug 5, 10:15 pm, Jesse Stay <jesses...@gmail.com> wrote:
> >> On Wed, Aug 5, 2009 at 3:04 AM, Chris Babcock <
> cbabc...@kolonelpanic.com>wrote:
> >>
> >>
> >>
> >> > I would strongly recommend OAuth for verifying users, or at least
> >> > making it an option, as there is a DoS attack possible against service
> >> > providers who rely on this API for access to their app.
> >>
> >> > Chris Babcock
> >>
> >> I'm not sure how OAuth helps, as the problem still exists, even with
> OAuth
> >> users.  Even with OAuth, it is still 15 requests per user per hour on
> >> verify_credentials.  Of course, you probably don't have to run
> >> verify_credentials as often with OAuth, but the problem still exists,
> and
> >> there are cases where I can see this could become an issue.
> >>
> >> Jesse
> >
> > No, you *never* use verify_credentials with OAuth because you never
> > handle user passwords.
> >
> > Take for example those users whose accounts are being slammed by
> > SpamBots. They can still log into Twitter, just not those services
> > that rely on verify_credentials service. Because they can still log in
> > on the Twitter site, they could still authorize OAuth tokens. You will
> > know that they have valid credentials on Twitter if the token has been
> > authorized when they return to your site. It's not necessary for your
> > app to obtain and verify the credentials directly. Your app can
> > completely bypass the rate limited service with its DoS potential.
> >
> > Chris Babcock
> >
> >
>

Reply via email to