hueniverse covers a wide range of topics, usually with enough detail to help developers dive right in and start using the technologies described. But there are often times when the target is moving too fast or there are too many targets to cover. When that happens, there isn’t always a place to post a comment and ask a question.
If you have a question about any of the technologies or projects covered, and you can’t find a place to ask it, please consider this an open invitation to engage. In order to make this useful to others, please ask one question at a time and only use this space for questions (not comments or answers to other people).
Update: questions are closed for now.
Hi. We have built a twitter app. We’ve figured out how to use OAUth to authenticate a user and allow the app to access his or her account. The app is a simple update status application. The app updates the status of the twitter user from our website. But we can’t figure out how to update the status of ALL the users who have added the app at once? We need to be able to do this from the website form located at http://gnosisarts.com/home/confirm.php (This is just a test page to figure out how to get the damned thing working; it’s not the final home of the app)
Thanks,
Eric Bryant, Director
Gnosis Arts
You should ask this question on the Twitter API support group. I don’t know if Twitter offers special APIs for client management. Fire Eagle, a location service, offers such APIs.
http://www.oasis-open.org/committees/download.php/35678/xrd-1.0-wd11.html#xrd.sequence
The XRDS element schema says minOccurs=”0″ and maxOccurs=”unbounded”. As per the NOTE in the spec, there has to be minimum 2 elements. I think corresponding xml schema should be updated to have minOccurs=”2″ instead of “0″. Thus, applications can depend on XML Schema validator to ensure this is true instead of writing custom logic for correctness of XRD documents.
I think xml schema should show as below. I hope the correction will be done before the final XRD spec.
====
The specification does not mandate a cardinality of 2, only recommends it. That note is there to help people understand what the XRDS element is for, unlike previous versions. Since this is only a recommendation, the schema must allow 0 to many.
Hi,
I am new to Social Networking and oAuth. I like to create a sample application which work on all Social Network Sites ? Where should i start ? I want to do mainly three things
1. Get/Set status updates
2. Send messages
3. Make friends
I searched many. I found each Social Network uses different oAuth methods. Why its like that ? Since oAuth is a global standard.
I am expecting that if i implemented for one Social Network rest all must work with only difference in the request URLs and Consumer details. The rest mechanism must same. Where am i wrong ?
Please some one guide me. Is there any sample code that works for all the Social Networks. I have developed for Social Network twitter and linkedIn. This work with almost same code. But still have some difference.
Regards
Akeeq
Can you give examples of the social networks you are trying to use? How are they different? For the most part, most OAuth implementation are very similar. The libraries posted on the OAuth site are a good place to start. Also, OAuth does not say how the API itself works so sending updated and making friends will most likely be different on each site. OAuth has nothing to do with that part, only the security part.
Thanks for a good intro to OAuth (and other open tech’s)!
You are welcome! Please let me know if there are other topics you would like to see covered.
Where to download oAuth library for java…In the google code there were so many files.Any specific jars to use oAuth for my application
http://oauth.net/code/ has a good list of libraries.
I understood Oauth but i want guide to using it to access Twitter using javascript
I would suggest visiting:
http://groups.google.com/group/twitter-development-talk/
Hi, I am implementing 2 legged oauth in Pharo Smalltalk porting from the OpenSocial Java library. Everything looks good when testing against MySpace.com. However I get invalid signature all the time when testing against Orkut.
How I debug a signature issue?
First, you might want to ask on the Orkut developers list (http://code.google.com/apis/orkut/docs/resources.html#groups). Second, you can try comparing your signature with that produced by the custom example in http://hueniverse.com/2008/10/beginners-guide-to-oauth-part-iv-signing-requests/.
Please help me how to configure OAuth 1.0 with php for uses of oauth provider class function
The best place to start is http://oauth.net/code/ where you can find a list of PHP libraries. Once you find the library you want, contact the authors for assistant.
I want the dll file for oauth1.0 latest version. which has supported to the oauth provider class functions. Have you any ideas for how to get windows .dl file for the samel
How can I make the OAuth flow process work if I’m working within an iFrame?
Can you provide more specifics? What exactly are you trying to do?
Do you have a Twitter Id so i can store it in the Apture system so you get credit on tweets?
Andrew
@hueniverse
What does OAuth in twitter stand for? Is it an acronym?
OAuth stands for Open Authorization but is not related to Twitter. Twitter uses it but OAuth is a community specification.
Hi,
Is it possible to have single OAuth code across all email accounts (hotmail, yahoo, gmail), Social Networking sites, IM for single user account?
Please let me know.
Thanks,
Shrinivas
It is not possible as each of these services uses their own OAuth infrastructure.
I see in your examples that while making the signature, the elements are in different order (i.o, oauth_nonce, consumer_key etc) as opposed to how they are in the “GET” or “POST” statement that follows…is that ok?
The order in which they are sent does not matter. But when constructing the signature base string, the order matters and must follow the sorting rules listed.
Hello,
My name is Jose. I am a post graduate student and was wondering If I could use some of the works on the guide http://hueniverse.com/oauth/guide/ and refer/use them in a paper I am writing.
Cheers
Jose
The site articles are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 United States License. This means you can quote, reference, and copy posts and use them in your work. However, you need to give proper attribution and cannot use it in a commercial work. If you a more liberal license, just ask.
Hello hueniverse,
I have read your excellent Beginner’s Guide to OAuth and just wanted to know if there is any tutorial or something where I can see how twitter or other websites have implemented OAuth? I just wanted to create my own API for a Website.
Thanks a lot
I am not aware of a tutorial for creating a service but if you look up the documentation for the Twitter, FourSquare, and new Facebook APIs, you should be able to figure out how to apply one of these to your own needs.
While reading the OAuth docs I randomly swiped a word more out of fidgety-ness then anything but was pleasantly surprised. Your highlight/search functionality is near perfect. Are you utilizing a js package or is it home brewed? I’d love to see it in a plugin of some kind (firefox/chrome).
Stephen
I’m using Apture: http://www.apture.com
Hi
I don’t know that why require request token..
why needs this??
The request token (or temporary credentials in the RFC) are used to differentiate between the front channel exposed to the user and the back channel between the client and server. They are also used to support clients that cannot receive callbacks directly.
Is there a way to use OAuth token within a single web application? I have read your use cases. I have a forgot password link sent in an email. Now this is a special url that cannot be authenticated. Is there a neat way of associating a token with this url that expires after a few days. We don’t want the wrong user from getting this url and hacking into the site.
Ours is a non-REST web application. Hope my question makes sense.
Password reset is usually a barer token solution where whoever controls the email account and have access to the special link, can change the password. OAuth cannot help you here because you don’t have a way to authenticate the user other than giving them a URI.
How to deal with the 3legged scrap all thingy in Orkut? I am looking for a php version of code for it.
I am not familiar with how Orkut uses OAuth. I suggest you ask this question on their developer forum.
Hey ive read up on your site the past few week and its been very interesting. Know of any good sites or references for taking my search farther? Websemantics has helped alot.
thanks
owen
That depends on what you are interested in.
Hi, I want to implement oAuth for securing my application API.
But, I’m very new to this.
Do you have any complete example to implement it both in server side and client side with real interaction with server database?
Thanks,
Destiya
I don’t have complete examples, but the best place to start is the OAuth code page: http://oauth.net/code/
Hi,
Why the webflow described in oAuth 2.0 not considered the Mobile apps for Custom URL scheme for launching them as soon service provider redirected to phone browser to URL which can direct the platform to launch the native app ?.
Thanks,
M.Suresh
It is being considered but since custom URI schemes are a violation of internet standards, we are still looking for the right balance of specifying it.
Hi, I am developing a mobile stand alone application which requires to use facebook APi.
but my mobile app code is written in javascript and html now how can i get access to the auten_token which will be redirected actually to facebook default Url succes.html . basically my app is a kind of desktop app which cannot embed a browser in it. does oAuth allows to have a token in the same url or something similar or any other method of AUTHENTICATION would help me.
Facebook supports OAuth 2.0 which provides a few ways to get an access token to a desktop application. I am not familiar with their implementation but I am sure they have some code samples to do just that on their developer site.
I posted a question on XRD/WSDL on stackerflow awhile back and I was hopeing you may be able to add your $.02.
http://stackoverflow.com/questions/2215646/difference-between-wsdl-2-0-wadl-xrd
Thanks!
XRD is a very simple link-based descriptor document with very little built-in semantic meaning. It is just a document with a list of links in it, which can be used a many ways to describe a resource. The two are trying to solve very different problems.
Hi -
re oauth 1.0 specification.
i was looking for some rationale for the invariance of the ouath_signature under reordering of request parameters. I understand the need for the position of the ouath parameters in the signature string to be defined, but don’t understand why the non-oauth request parameters need to be put into canonical form.
thanks for your time.
Everything has to be canonicalized for consistent signatures. We decided not to use the raw request because it is not always available on the client or server.
Hi
I work in a firm that is developing support for OAuth 1.0 Revision A. I am reading the RFC and coming up with some test cases.
) )
Do you have a best practice guide for writing OAuth test cases ? It will be awesome if your blog had some typical test scenarios. ( yes, you can curse me for expecting to be spoon fed…
Thanks
Pranam
Unfortunately I don’t but check out the OAuth wiki for some community created test cases: http://wiki.oauth.net/w/page/12238556/TestCases
Eran,
I have been slowly digesting your hard work on OAuth, and I have what I hope is a simple question about OAuth architecture. Imagine I have a 3-legged OAuth, where the Consumers are mobile devices used by people other than the user (e.g. User hands out devices to volunteers taking a survey). Is there a provision for a “layered” secondary 2-legged OAuth procedure used by the volunteers in the example above to further authenticate as a “sub-user”?
Many thanks in advance for looking at this question,
Phil Graham
This is usually referred to as re-delegation and there is no standard way to do that. However, it shouldn’t be too hard to use the existing protocol to find creative solutions for that.
While reading the oauth 2.0 v11 spec, i did not realize that it intends to remove the cryptographic signatures and simple use bearer tokens without token secrets. I thought i t retained the best parts of oauth 1.0/1.0a and improved i nthe areas of where it was deficient.
Now that oauth 2.0 v11 seems very controversial, what do you suggest in terms of adoption. I work for a large enterprise company and want to adopt something that is going to be a standard sooner or later. do you see oauth 2.0 or subsequent version getting industry consensus, or should i wait and not adopt it since it becoming a standard is dubious?
please advise
OAuth 2.0 (as reflected in -12) is an authorization protocol. As such, it says out of the authentication business. However, out the door you will be able to choose from at least 2 different token types: bearer and MAC. I have posted a new draft for MAC tokens which use a similar (but simpler) scheme as 1.0.
Can OAuth be implemented as Service (like OpenID) to Server and Client Side Implementation?
Some parts of OAuth 2.0 can be implemented as a service, such as the authorization server.
I have been working on a neat project called datkey.com which involves many concepts you flesh out. Would love feedback, your blog is awesome!
Thanks. The concept looks interesting but hard to tell how is it different from many other social crawlers.
Bonjour,
j’étudie l’api de twitter et suis naturellement tombé sur le protocol Oauth qui m’étais complètement inconnu jusque là. Je voulais me renseigner et pour comprendre mieux comment il fonctionnait mais je vois que le guide de la version actuel n’est pas du tout fini concernant la partie techinque, serait-il possible d’obtenir plus d’information concernant celle-ci? J’ai lu sur une page de votre site que vous déconseillé de lire l’ancienne version car la nouvelle avait beaucoup changé !
Merci d’avance.
There are many resources for OAuth 1.0. I got too busy with OAuth 2.0 to finish the new guide for 1.0. The old pages are still pretty useful.
This is intended to be a positive suggestion. A lot of folks will be turned off / frightened by the cartoon of the flasher on your site.
If you want to inspire trust and confidence, don’t show a guy flashing a group of people
I get the joke. I have a sense of humor, but I bet I’m not alone in that it does not extend to crude sexual cartoons depicting despicable acts.
To not scare some folk away (especially those who’ve suffered abuse) I’d lose the not-so-funny cartoon.
Best wishes for your continued success!
Will
I don’t find it offensive. Thanks.
Impressive material here, Eran. Just amazing resources. I have two separate questions:
A. Security: what is the real security threat if the Client shared-secret was to be compromised? To access the protected resource, the client needs to build the final oauth_signature based on the User token secret AFTER the user has entered her UID/PWD in the provider’s web site, correct? So If I compromise the Client secret, how can I access user’s protected data without her involvement?
B. Mobile clients: What is the best practice for storing secrets on mobile applications. I’m assuming Keychain for iPhone, but not sure about Android. Any thoughts?
A. The threat is being able to trick the user into thinking they are approving a different client. The client credentials are typically used only for displaying information about the client to the user. However, in some cases, the client credentials are also used for client-only API calls (like managing the client resources).
B. There is no good way for storing client credentials on mobile devices and I recommend not to issue these clients a secret. As for storing tokens, I don’t know enough about mobile platforms to make a recommendation.
What was the ultimate solution for the session fixation issue other than providers educating the users? Any protocol changes in OAuth 1.0? Or even 2.0?
OAuth 1.0 revision A was published to address the session fixation attack.
Excellent website! One question that i have not been able to answer after reading the OAuth spec is how are client credentials supposed to be protected in Mobile scenarios ?
The are not. There is no known way to protect credentials in an installed application.
Can i use OAuth for SOAP Web Service provider authentication thru Web Service consumer ?
OAuth is same as SSO(Single-Sign-On) ?
OAuth is not SSO, but can be used as a layer in an SSO protocol. I am sure you can define binding for SOAP but I am not aware of such specification. Generally, OAuth was designed for RESTful APIs.
Hi. Is all of this dead? I searched for some XRI / XRD and related stuff – almost nothing on 2011. What happened?
Boris
Mostly, yeah. The community has lost interest in developing “open web” and social standards over a year ago and so the need for discovery has gone away with that. I am working to get host-meta finished (the actual protocol behind WebFinger) in the next few months. XRD itself is finished and available as an OASIS standard.
Is the 2-legged OAUTH changed by the 2.0 proposal (draft)?
OAuth 2.0 does not include the 2-legged (traditional client-server) authentication offered by OAuth 1.0. The HTTP MAC Authentication Scheme draft covers that use case with a much simpler and easier to deploy proposal. It can be found here: http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token
I am implementing some webservices that will use an early implementation of oAuth v2 with the MAC authentication scheme. We are working in Java and will produce some java code that can be used by our clients to build java clients to the MAC scheme… are there any existing implementations of the MAC scheme available? if there is, where might I find them?
Thanks,
Andy Dale
First, note that the MAC scheme is still fluid. Every draft between 00 and 05 included significant breaking changes. I hope to get it to a stable place by 07.
I am not away of any existing deployments other than my own, not yet public, project. But if you have access to node.js, connect-auth includes both a client and server implementation (see MAC example), as well as a simpler mac package.
We want to add a way to publish where people can register. I’m not sure whether we should add a ‘register’ next to ‘lrdd’ or next to ‘acct:’ in webfinger. please advise. in JRD they are, option 1:
{
“links”: {
“lrdd”: [
{"template":"http://demo.redlibre.org/webfinger/?q={uri}"}
],
“register”: [
{"template":"http://demo.redlibre.org/unhosted/?q={uri}"}
]
}
}
and second step: http://demo.redlibre.org/unhosted/?q=acct:newUser@demo.redlibre.org
second option:
host-meta stays as
{
“links”: {
“lrdd”: [
{"template":"http://demo.redlibre.org/webfinger/?q={uri}"}
]
}
}
but wherever then the second step is http://demo.redlibre.org/webfinger/?q=register:newUser@demo.redlibre.org
or maybe there is a third option. or maybe you think it’s a bad idea to announce in machine-readable format at which URL people can sign up for your service
I recommend putting it in host-meta (next to rel=’lrdd’) if it is the same for all users (using a template). Otherwise, in an LRDD document.
Hello,
I am trying to implement OAuth 2.0 as an authorization mechanism for my company’s public REST API and am having the hardest time finding documentation helpful to this project. The majority of OAuth docs online is geared toward implementing clients for specific providers like twitter and facebook. Any help in gathering such documentation would be greatly appreciated.
thanks,
– robbie
http://tools.ietf.org/html/draft-ietf-oauth-v2
working on project in .net. I can authenticate the user and extract the the user’s token and token secret, And have the functions to create nonce, and timestamp and signature,etc. I just don’t know how to send it.
this is what i have:
GET /1/user/-/activities/date/2011-03-30.xml HTTP/1.1
Host: xxx.xxx.com:80
Authorization: OAuth realm = http://xxx.xxx.com/
oauth_consumer_key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,
oauth_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,
oauth_nonce = 5745276
oauth_timestamp = -2201299200
oauth_signature_method = HMAC – SHA1
oauth_version = 1.0
oauth_signature=2jq5%2Bl5hh1Ynyxx8Vn6pM78Z5Iw%3D
could you help out with that part?
You are almost there:
Authorization: OAuth realm=”http://xxx.xxx.com/”
oauth_consumer_key=”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
oauth_token=”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,
oauth_nonce=”5745276″,
oauth_timestamp=”-2201299200″,
oauth_signature_method=”HMAC–SHA1″,
oauth_version=”1.0″,
oauth_signature=”2jq5%2Bl5hh1Ynyxx8Vn6pM78Z5Iw%3D”
Your timestamp is wrong (can’t be negative).
I’m wondering how to refresh your access token without permission from the resource owner. Does this mean that I can have a none-expired permission to visit the protected resource once I got permission?
OAuth 1.0 does not provide token refresh (only Yahoo! offers that as an extension). OAuth 2.0 has token refresh built-in. As for token expiration, that is completely up to the service provider and some will issue you non-expiring access.
Hello,
i’ve got a question which bothers me about the oauth_token parameter. We have some applications using the two-legged variant of oauth 1.0A. As far as i understand the specs, the oauth_token is not mandatory : “The “oauth_signature” parameter MUST be excluded from the signature
base string if present. Parameters not explicitly included in the
request MUST be excluded from the signature base string (e.g., the
“oauth_version” parameter when omitted).
”
But it seems your reference implementation always used it when building signature (uses an empty string if not present).
Some client librairies doesn’t include it if absent.
Am i missing some key point ?
Thanks
oauth_token is required and in the two-legged use case should be included without a value. The problem is that it has never been an official part of the standard and so is not well defined.
Hi !
Im developing an API and looking for securing it i finished here reading some of your posts.
You argue that there are some bad ideas and practices around oauth implementations (in Twitter, FB, etc), but there is no simple and easy to understand tutorial to secure effectively our APIS.
Maybe this tutorial could be the example to follow by developers instead.
I would recommend you take a look at OAuth 2.0. It has been stable for 5 months and is ready for wide adoption.
Hi,
I’m actually looking for a way to implement a fully functional OAuth Provider using PHP5, I searched a little bit around the web and found several libraries, extensions and examples, some of them provide only consumer implementation.
I finally found 2 librairies, the official php oauth library which version 1.1.0 was released 3 months ago, and another one oauth-php.
I wanted to know if there were other librairies in PHP5 which I should use to develop my Provider, and if one of theme implement 2.0 specifications already.
Thanks,
I’m not familiar with the PHP libraries, but for 2.0, you don’t really need a library – it is pretty simple to just do it with an HTTP client.
Is it possible to get the oAuth documentation as a single page or as a pdf. I need to be able to read this offline. Even better if you do it as a kindle doc.
How about just copy and paste? It would be hard to get some of the signature scripts to work in a non-browser setup.
Hi Eran,
I was wondering if you could answer a question I had about consent in OAuth. I posted it on Stack Overflow at http://stackoverflow.com/questions/6295704/oauth-automatic-consent-of-trusted-consumer-key, but the essence of my question is this:
If I completely control and trust the consumer key, can I skip requiring the user to provide consent? In essence, I want a user on Cheezburger.com to be able to transparently use a second website that we are creating, I don’t want to make them log in twice, but I also don’t want to force every user to grant consent the first time they visit my new application.
Thanks,
Jacob
The user should be in control of their resources, but if this is just a case of one provider spread over multiple domains, I see no harm in skipping granting access to a client which is essentially owned by the same entity.
Hi Eran. I see a lot of stuff on OAuth 2.0, but I’m still not sure where it stands and who is using it. Are Facebook, Twitter, and some of the other big players exclusively reverted to OAuth2.0. What is your recommendation on the usage of 1.0 vs. 2.0 if someone were to get started development for a conservative organization. Thanks.
OAuth 2.0 has been very stable for months now and I would recommend any new deployment to use it. Older deployments should be working on a migration plan. I expect it to be finished by the end of the year.
In “Part IV: Signing and Requests”:
“The HMAC-SHA1 signature method uses the two secrets — Consumer Secret and Token Secret — …”
Is Consumer Secret the same as “oauth_consumer_key” and “Token Secret” the same as “oauth_token” ?
The consumer secret is the oauth_consumer_secret and the token secret is the oauth_token_secret.
Hi !
I am a student of Computer Science from Germany and I am currently writing my Bachelor Thesis (B.Sc) on OAuth and its usability on mobile devices. Therefor I am also writing an OAuth (2.0) library for Android Clients. If it is any good, I want to publish it under GPL for others to use and maybe develop it further.
What would be the right place for me to do that?
How can I make the OAuth community aware of this project – if it draws at least any interest?
Since the library is part of my thesis, I am not allowed to share it quite yet, but it should be possible for me to upload it in a month, after I finished documenting everything.
Thank you for your help
Regards
Christoph
Write it, put it on github, blog about it, and share it on the oauth@ietf.org list. That’s a good start.
hi,
I’m trying for jQuery client side implementation of oauth for Google
APIs. Is there a possible implementation way to do so?
If so please point me to some working example or some js
libraries.
Thanks,
Vaithi G.
Sorry but I can’t help with any specific vendor questions.
Hello, I have a question about using Oauth. We are a financial services firm which handles customer investment and we have only recently begun developing our online ad campaign (banner ads, landing pages, content, the works). Our boss has expressed interest in the idea of an email contact extraction option (in the spirit of facebook and twiiter) to forward a landing page or other content to contacts in the email of the opt in user, but I am concerned about the idea of losing leads due to potential client unease about when the program asks them to input their username and password into the module (sounds like a cookie cutter Oauth story from what I’ve read). Can Oauth be implemented to help us solve this issue? Is there any other solution? How would Oauth work in this case? Can the process be automated? If this could work, it would be the best compromise…
Thanks
Oleg
OAuth is used to obtain access to protected resource (such as the user’s account, address book, etc.) without directly handling their username and password. They still authenticate but only with the service they are familiar with. There are many factors in how this is implemented based on the specific characteristics of the client. While work is almost done for OAuth 2.0, you should review the materials on this site and others and learn about how the protocol works. It is also useful to take a look at real world examples from many providers supporting the protocol.
Hi,
I was trying to follow this code http://www.lesnikowski.com/blog/index.php/oauth-with-imap/ but unalble to execute it as there are many issues with that. I found OAuth in this code as unrecognized when I tried it.
Can you please help me in below points
1) What are all the refrences I should add in my aspx project.
2) What are all the namespaces I should use to get get my work done.
3) What should be the entry in web.config.
4) Is there any complete code available in c# to connect to gmail.
Thanks,
Jatin
Unfortunately I cannot help with any vendor-specific or implementation-specific OAuth questions.
Hi Eran,
I was wondering if you could explain a little detail from the OAuth2 MAC Token drafts to me?
Since “draft-hammer-oauth-v2-mac-token-04″ there is the new “ext” parameter in the Authorization Request Header included. I figured, it is not for any resource related parameters, because those I could include in the request body and therefor also in the bodyhash. But if it is not resource related and its not OAuth specific (since it is not explained in the drafts), what is this “ext”-parameter then for?
Thank you!
Christoph
For extensions. It provides a way to include other values in the hmac without having to change how it works. It’s an extension point.
Hi,
I’m trying to find a standardized as future-proof as possible way to handle primarily authentication in a SoA environment of RESTful JSON APIs. Basically I need centralized SSO capabilities and a way to avoid having all the APIs handle original end-user credentials. Since this is going to be exposed externally it needs to be as lightweight and easy to implement as possible on the end-user side. With this in mind I set out to find a good standard scheme and ended up with a headache. People in general seem to point at one of the OAuth versions, but I haven’t been able to find support for this use case in OAuth itself? OpenID does seem to fit the use case even though it’s created as a decentralized solution and people seem to complain about complexity. OpenID Connect is maybe promising but very young? CAS/SAML does not seem to fit the bill. I feel a bit lost here, am I missing something about OAuth v2.0? Could you help me out with a pointer here?
Kind regards,
Fredrik Widlund
Take a look at the new BrowserID proposal from Mozilla and the OpenID Connect effort.
If my native mobile app wants to still use the consumer credentials,
which flow should I use? Looks like the new user-agent flow is for
native mobile apps not requiring consumer credentials, but not sure
what to use if I want to use Oauth 2.0 with consumer creds ala 1.0a
version?
The authorization code grant type is not limited to just web-based client. You just need to be aware of the limitations of using client credentials with a mobile app.
are there any oauth 2.0 providers that still enforce signatures on top of SSL? is that even possible?
Most 2.0 providers support bearer tokens. MAC tokens are still rare and support both http and https.
Hi,
Before I haved test OAuth1.0, Now I’m trying implement OAuth2.0 with my API request,but where can I find the OAuth2.0 source library for .net verstion?
Could you please help me?Hope there is response from you!
Thanks,
Paul
I’m not personally familiar with any .net library but I know there are a few. One suggestions:
http://stackoverflow.com/questions/3997172/oauth-2-0-service-provider-net-libraries
Hello,
and thanks for this great offer to ask about OAuth. We are currently working on architecture for our platform, where we have one identity provider (server storing users) and multiple resource servers (each solve specific subset of domain logic and store appropriate resources). In some cases it can happen also resource servers would like to talk to each other and that has to happen on behalf of specific user (this we keep in sync using identity provider requests).
Question is: Is it good idea to share one access token which can be used to let client talk to each resource server but also to use this very same token to do request between resource server themselves? Or its better to establish access token between resource servers if they want to talk together (so one will basically play the role of client)?
Each access token is user-specific, unless it is issued to the client without user authorization. I would suggest to use different access tokens, each with the right minimal scope required.
Ok i have read all about oAuth I’m up on it but i can’t figure out something in oAuth 2. Heres the scenario, I develop an app for Android and want to store data into some third-party oAuth’d data storage service on behalf of only myself the app developer. Every model I can imagine requires some authorization token or credential to be shipped in the app that could hypothetically be pulled out by hacking the distributed code. Am i being paranoid or is this not the case? If this is the case how could i know a request is not actually valid but in fact masquerading as my app.
There is no way to verify if a call is being made by a specific application. None. If you are distributing an Android application, someone can extract your credentials from it. Because you want to make calls on behalf of the application itself, not a user, you also lose the ability to use users authentication for application validation. So, the short answer is that there is no solution to this problem. You can use a proxy and put the secret there (or access token) but that’s just moving the problem elsewhere because now you have to secure the link between your application and the proxy and its the same story.
Given your answer to my previous question what protects an oAuth user from having data stolen by a malicious app that is masquerading as another trusted app? Doesn’t the app have to be distributed with some app id and secret and aren’t these similarly vulnerable to extraction? I assume the solution is to revoke the access for that app but doesn’t this undermine all third party apps since its a post-facto fix and requires your knowledge of being duped? It also leaves an opportunity for a DOS attack to an app by compromising its secret.
Could you detail the difference between the way signature is generated in oauth and openid ?
Each uses a different algorithm to normalize the request URI. The exact details are too long to repeat here. They are different enough that no code can be reused across the two.
The Introduction to OAuth 2.0 was written in May 2010 and at the end the author expected the RFC by the end of the year. It’s Aug 2011, the current draft is 20, any ETA for the final RFC?
I’m about to begin a massive project incorporating OAuth. I would much prefer to use 2.0 as I feel vendor acceptance would be greater because of the simplified flows but I don’t want to invest hundreds of man hours with any chance of: “Oops, OAuth 2.0 was a bridge to nowhere…”
OAuth 2.0 is currently in last call process. This means it will not change unless we find security issues. It is expected to go for final review by the end of September.
Hi Hammer, my name is Gaspar, living in Caracas, give me permission to translate to Spanish OAuht your article on my blog and publish it in referencing your original text?
As long as you provide attribution, go ahead.
Hi, We are implementing oauth functionality with JAVA api provided by oauth. Its always giving 401 Unauthorize Error in output.
Any help will be appreciated.
Thanks in anticipation.
Best Regards,
GTL
Many things can cause this. Unfortunately I cannot help with individual implementations but I suggest you reach out to the provider you are trying to connect to for support.
Hello Eran,
2 questions:
a)
According to OAuth 1.0 (RFC) why is it a requirement to use TLS AND the signature (let’s assume one is used) for calls requesting temporary credentials (Section 2.1) and obtaining token credentials (Section 2.3)?
Would the credentials sent/returned in either call be useful to a “man in the middle” without knowing the client secret which is used to sign calls? Another client which has credentials with the same auth provider could intercept the calls and modify them to make it look like he emitted them via a new oauth_consumer_key and signature but that’s a fairly remote possibility (is it even a possibility?).
b)
What is the purpose of oauth_token_secret in OAuth 1.0? It is returned in a response but then never used. Something legacy?
Thank you,
/David
a. There is no requirement to use signatures, only TLS. You can use PLAINTEXT over TLS if you want.
b. You need the token secret for producing the signature value.
since implicit-grant does not require client authentication, for a provider that accepts response-type=token for this purpose in addition to the response-type=code, is there any best practice for a provider to prevent a MITM from simply replacing response-type=code with response-type=token to steal the access token?
for instance, sample code here:
https://github.com/herestomwiththeweather/sslstrip/commit/04f17cb867dbaf8625debb64032d351c2c342daa
this attack depends on intercepting an http page that links to the https page which is often not a problem.
Any use of the implicit grant type requires registration of the callback URI which should, along with using HTTPS, mitigate this risk.
In the Oauth workflow, http://hueniverse.com/oauth/guide/workflow… I don’t understand why do we need both access token and request token. Wouldn’t having only access token be sufficient enough? For example, beppa redirects Jane to faji on its behalf and get the access token afterwards. Can someone please tell me why? Thanks!!
Two main reasons: to separate the credentials used on the front channel (passed through the browser) from those used on the back channel (directly between the client and server), and to allow devices incapable of receiving callbacks.
thanks. with this sslstrip attack, if i understand implicit grant right, ssl and callback registration will not help. the attacker attacks http instead of https. for instance, the client could have an unsecure page that has an https link to the provider. the victim receives the unsecure page with https link replaced with an http link. when the victim clicks on the link, the attacker knows he replaced the link so connects to the provider with https to fetch the authorization form. he serves the form to the victim as http. the victim often will not pay attention that he’s viewing an unsecure form, so he submits it. the provider returns a redirect to the registered callback which is intercepted by the attacker who steals the access token and the client never knows anything regarding what just took place.
one could make the argument that stealing the session cookie is easier. that argument assumes the provider doesn’t mitigate against stolen session cookies. before the attack, if the victim had logged into the provider with ssl, then the provider could return a secure cookie in addition to the session cookie. subsequently, if a provider receives a request on an ssl connection for that user, if the request does not include the secure cookie in addition to the session cookie, the provider knows that this request is from a stolen session. in this case, the weakest link is not the session cookie but the bearer token.
oops. i noticed a flaw in my logic. the provider could detect the stolen session on the authorization form!
Hello,
When client send request to resource server, he has to present access token. In protocol its defined that server must validate (expiration, scope) of given access token. The strategy how to handle this is out of scope of the protocol and I am thinking what could be the ways. For sure I can communicate with auth server, which mean a big load for it though. My question is:
Would it be valid idea to encode expiration and scope of the access token within itself? Could you recommend any information source regarding this topic?
Thank you very much for any help.
Petr Janda
Encoding information into the token itself is very common and the main reason for introducing the refresh token in OAuth 2.0. One thing to watch out for is that these self-contained tokens must expire because they do not require full database verification on every call. There are many ways to encrypt information, including symmetric and asymmetric cryptography. Given the complexity of the issue, I cannot discuss it in generals.
Have you seen that the link to your /oauth page at http://oauth.net/documentation/ is missing a double-quote (“) at the start of it, which causes the URL to have a trailing double-quote? Any chance you can get them to fix it? Otherwise, how about a redirect from /oauth” (trailing double quote) to /oauth ?
Thanks. Now fixed.
Can we use your oauth to validate between sites while passing data? For example, a user will start on one website and then click a link to view documents on another site. On the second site it does not require a sign, we just need to have a way to verify that the request came from a specific site. Is there a way to do this with oauth?
Thanks!
OAuth deals with delegation. This is more a trusted transaction between two parties via an intermediary (the user). You can use a token in the URI that can be validated by the other site. If you need protection from manipulation of the URI, you can use MAC tokens and include the mac value as another parameter. You might want to look at OAuth 1.0 HMAC-SHA-1 as a way to accomplish this. OAuth 2.0 will make it a bit harder to do without changes. You are probably better off coming up with a simple token format that works for your security needs.
I wish to implement OAuth 2.0 using a multi-level password system. The number of passwords may be 3 or more.
Can I create this type of workflow in OAUth?
Not sure what you mean by multi-level password, but how the user authenticates does not matter in OAuth.
For OAuth 2 MAC Token you reference
http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05
but I see
http://tools.ietf.org/wg/oauth/draft-ietf-oauth-v2-http-mac/
on the WG’s site (http://tools.ietf.org/wg/oauth/).
Which one should be used and why are both expired?
The document is currently being discussed on the WG list and a new version is expected once we reach consensus on how to proceed.
Dear Eran,
I have just discovered hueniverse.com which I found while searching for simple programmatic interface to Twitter – now learning about OAuth. What a great source of interformation [just made that up then by confusing interactive information - all good].
I particularly liked the format that you have developed to represent the large range of information you host – would you be so kind as to let me know what WordPress theme you are using and any general modifications you may have needed to apply to get your site looking so great? I’m in a place where I need better ways to capture and share the ideas and information.
Many thanks
Jonno
Thanks. The theme is custom made for this site, and unfortunately, I don’t have the time to clean it up in order to share it.
No problem – many thanks Eran. Keep up the good work!
http://hueniverse.com/2011/06/oauth-2-0-redirection-uri-validation/
about oauth
In step 7: Evil user takes the authorization code and gives it back to the client by constructing the original correct redirection URI.
I wonder how Evil User can take the authorization code since the code has sent to the victem?
The code was sent through the client via a redirection to the attacker’s site.
In case Authorization Server and Resource Server are implemented separately (unlike Facebook or Twitter where Authorization Server and Resource Server are same)
Would you please throw some light on validation needs to be done at Resource Server before allowing access to REST API
1. Let say In Access token validation response Authorization Server would say that Access token is issued to “Client 1″ , Scope values are “XYZ PQR” and Some Resource Owner identifier such as userid
2. OAuth Client needs to register at Resource Server as well so that it can trust only specific OAuth clients
3. Also i understand that Resource Server would look at scope values as well before accessing particular REST API
I would appreciate your response.
Thanks
Aakash
Not sure what exactly you are asking but if the roles are carried by separate entities, they need to coordinate the grants. How to accomplish that is case-specific.
I’m using classic ASP and need to make OAUTH with YAHOO to get contact of a user that allow my app.
I can make working arriving to get a token but i can’t make the api request because yahoo api is HTTP and not HTTPS so i must use oauth_signature_method =”HMAC-SHA1″
I can’t get a script function that create me this oauth_signature in CLASSIC ASP.
Can you help me ?
Thanks,
Marco
Sorry, but I don’t know much about this environment.
Hi, I am trying to implement twitter OAuth for my application but am running into errors every time i try. I have downloaded and am using the library of Abraham OAuth coding. At the moment every time i run my application it presents me with a link to sign into twitter but when clicked gives me the error message ” Cannot sign into twitter, try again later” which is the error handling message of course, but i don’t understand why i am being faced with this…any help please? Other attempts of OAuth have taken me to the twitter website and given me the message that there are no request token for this page, but the token information has been added into the coding already. Help would be much appreciated. Thanks
Sorry but I am unable to assist with any particular vendor. You should reach out to them for support.
hi eran,
congrats on your new job and good luck @ walmart!
i’m working on a project where we are trying to use oauth (2) for authentication (click this button to sign in using your ‘xyz-oauth-provider’ account).
in this use-case, the client (user) enacts the oauth handshake with the provider, is prompted to login to the provider, is prompted to grant access to some scope of provider resources, and if all goes well, the client successfully gets an access token and uses it to call an api at the provider to get some basic account information which it uses to set up a local session.
when the client’s local session is complete it ‘goes away’ meaning it tosses the access token.
when the same user comes back (say the next day after the session with the provider has expired) via the client to run through the same process again, they are prompted to login to the provider again, but they are also prompted to grant access again.
my initial instinct is that the provider should *not* prompt the user to grant access again (and let’s just simplify the question for now by saying that the initial grant should have no expiration so that the refresh flow isn’t in play).
ok, so that is the setup for my question which is:
does the spec cover this situation in terms of specifying how a provider should behave in this case?
i.e. is it the client’s responsibility to hold onto an access token and not ask for one twice (in which case i’m unclear how to do repetitive sign-on’s using oauth),
*or* is it the provider’s responsibility to not prompt the same user if they have already granted access (and possibly return the same access token that they were initially issued).
i hope my questions are relatively clear, but i’d be happy to clarify if not.
thanks! tony…
These decisions are all part of the provider’s architecture and all options mentioned are perfectly valid. I would optimize the user experience to make the most sense.
I am trying to access Yahoo’s contact API and I’m not able to get request token by giving URI request using my consumer key and secret.It is showing “file not found” while giving request.
Sorry but I am unable to assist with any particular vendor. You should reach out to Yahoo! for support.
Hi … Question:
I want to make an App on a Fanpage where people can write there experience on a service. when published … this experience is also posted on there own timeline as their status update …
Is this possible with OAuth ?
I’m not familiar with Fanpage but if they provider an OAuth API to do this, you can register a client with them and perform normal OAuth authorization on your server then post to their status update.
Can you recommend some sources for getting up to speed in JavaScript for node?
Also, what are your thoughts about coffeescript?
There are plenty of books and resources on JS, but you should be able to just pick up a few of the node exmaples and run with them. http://howtonode.org/ is a great place to start. As for CoffeeScript, I have no experience with it, but generally don’t see the point.
Did you get your writeup done on express with oauth, came across mention of this topic on your excellent writeup on nodejs, express and socket.io
Appreciate the pointer.
Thx
Not yet.
Is there a standard way to log out users?
Nope.
When working with node.js, what NPM module do you recommend for oauth 1 and 2? Or do you just write your own?
For 2.0, you don’t really need anything, just ‘request’. For 1.0 I use ‘oauth’.
What is going on with OAuth 2.0 and what has happened to this blog it has been dead for 6 months now… Did you guys give up and if so why? Please start posting stuff again thanks.
Life happened. As for OAuth, see my last post on the subject.
Hi!
1. How can you change redirection_uri ? “Evil user takes the authorization endpoint URI and changes the redirection to its evil site.”
2. If victim user doesn’t have session? “Evil user tricks victim user to click on the link and authorize access (using phishing or other social engineering methods).”
They use special software that doesn’t follow the redirection. They just grab the content of the Location header and manipulate it.
Hello,
at first: great beginners guide.
It helps me a lot to understand, how OAuth works and what kind of information be shared during this workflow. But the whole guide is only designed for web based applications.
My problem is, how I can use OAuth in desktop applications? Okay, to request an request-token via http request is no problem, but usually the user is redirected to an authorization-url on which he has to submit my app (e.g. on twitter, facebook, dropbox, etc.). This step is also no problem … I can use a simple browser component to display this url. And now my real problem: in web based applications a user will be redirected to an callback url, after submitting my app. In desktop applications no callback url exists and now I don’t know, how to continue the workflow …
Can you give me a short instruction or some help to solve this problem?
kind regards,
Chris
There are a few options. The landing page can tell the user to go back to the application, or the desktop application can use a web view inside and control that. There are also ways to check for changes in the browser title and use that.
Is OAuth 2 + signatures absolutely impossible to be made ‘secure-enough’ over http?
I couldn’t find any information on signatures in OAuth 2 so I couldn’t determine how much signatures protect OAuth nor if there was information that could be made secure by introducing a single secure channel on the side for one piece of information.
This is the theoretical model I’m working under:
- An open source piece of web software has an API to it and wants to use OAuth so that users aren’t handing their passwords to 3rd parties, and can safely locally deal with 3rd parties that go rogue
- This open source software is installed on thousands of different websites on the internet
- There are also many different clients that would like to use OAuth so that they can do things using the open source software’s api on many different sites
These sites being on http is an inevitable fact. It is absolutely impossible to get them to all use HTTPS (not without fixing HTTPS’ broken trust structure and getting everyone to use something like Convergence; which is a goal of it’s own separate from OAuth). Many are small sites which simply have absolutely no budget for SSL at all.
So given this fact I cannot change the use of SSL on these sites. And given the fact that since these sites already vulnerable to BrowserSite MITM attacks. I would ‘at-least’ like to make OAuth work for these sites without introducing Web AppSite MITM attacks on authentication.
The big issue with these of course is that dealing with an infinite number of clients and an infinite number of sites the clients must rely on discovering the site the first time they see it instead of being pre-registered with secure information. But because the site is only available over http the it cannot transmit the information needed for signing, etc… to the client with a guarantee that it actually came from the server.
My thought for that issue was to use a separate trusted path that could verify one bit of information the server needs to send to the client.
The idea went something like:
- The server sends a public key to the client (http)
- The client contacts a central trusted party and asks it to verify the public key (over https this time)
- The server uses some method to ensure that the public key is the correct one for the site (undefined)
- After the public key is validated it’s either used somehow in OAuth or used that to communicate a shared key that can be used one time to exchange the secret information needed for signatures to work.
The idea here of course is that by adding in a separate server into the mix even though there are 1000 websites that we can’t get ssl certificates for we can get a single ssl certificate for 1 trusted server and then use that to validate communication between the web app and the many sites.
On the (undefined) part on checking the public key. My first idea was the server would be a registry of all sites and each would have a registered public key. Then the server would just compare against that. But then I remembered Convergence and thought of applying the fundamental idea there to this. Clients contact 4 servers at different locations. Each of these servers verify the public key by looking it up themselves and comparing. And then if they all say it’s ok the key is validated.
Without diving into all the details above, OAuth 2.0 does not function without TLS for its token exchange endpoints. Once you have a token, you can use/define a token type that provides HMAC-like security over non-TLS. However, the working group has not made any progress on MAC tokens and at this point it is unclear if they will even finish it. If you are limited with TLS access, use OAuth 1.0.