Got Questions?

hueniverse covers a wide range of topics, usually with enough detail to help developers dive right in and start using the technologies described. But there are often times when the target is moving too fast or there are too many targets to cover. When that happens, there isn’t always a place to post a comment and ask a question.

If you have a question about any of the technologies or projects covered, and you can’t find a place to ask it, please consider this an open invitation to engage. In order to make this useful to others, please ask one question at a time and only use this space for questions (not comments or answers to other people).

Update: questions are closed for now.

183 thoughts on “Got Questions?

  1. In “Part IV: Signing and Requests”:

    “The HMAC-SHA1 signature method uses the two secrets — Consumer Secret and Token Secret — …”

    Is Consumer Secret the same as “oauth_consumer_key” and “Token Secret” the same as “oauth_token” ?

  2. Hi !
    I am a student of Computer Science from Germany and I am currently writing my Bachelor Thesis (B.Sc) on OAuth and its usability on mobile devices. Therefor I am also writing an OAuth (2.0) library for Android Clients. If it is any good, I want to publish it under GPL for others to use and maybe develop it further.
    What would be the right place for me to do that?
    How can I make the OAuth community aware of this project – if it draws at least any interest?
    Since the library is part of my thesis, I am not allowed to share it quite yet, but it should be possible for me to upload it in a month, after I finished documenting everything.
    Thank you for your help

    Regards
    Christoph

  3. hi,

    I’m trying for jQuery client side implementation of oauth for Google
    APIs. Is there a possible implementation way to do so?
    If so please point me to some working example or some js
    libraries.

    Thanks,
    Vaithi G.

  4. Hello, I have a question about using Oauth. We are a financial services firm which handles customer investment and we have only recently begun developing our online ad campaign (banner ads, landing pages, content, the works). Our boss has expressed interest in the idea of an email contact extraction option (in the spirit of facebook and twiiter) to forward a landing page or other content to contacts in the email of the opt in user, but I am concerned about the idea of losing leads due to potential client unease about when the program asks them to input their username and password into the module (sounds like a cookie cutter Oauth story from what I’ve read). Can Oauth be implemented to help us solve this issue? Is there any other solution? How would Oauth work in this case? Can the process be automated? If this could work, it would be the best compromise…

    Thanks

    Oleg

    • OAuth is used to obtain access to protected resource (such as the user’s account, address book, etc.) without directly handling their username and password. They still authenticate but only with the service they are familiar with. There are many factors in how this is implemented based on the specific characteristics of the client. While work is almost done for OAuth 2.0, you should review the materials on this site and others and learn about how the protocol works. It is also useful to take a look at real world examples from many providers supporting the protocol.

  5. Hi,

    I was trying to follow this code http://www.lesnikowski.com/blog/index.php/oauth-with-imap/ but unalble to execute it as there are many issues with that. I found OAuth in this code as unrecognized when I tried it.
    Can you please help me in below points
    1) What are all the refrences I should add in my aspx project.
    2) What are all the namespaces I should use to get get my work done.
    3) What should be the entry in web.config.
    4) Is there any complete code available in c# to connect to gmail.

    Thanks,
    Jatin

  6. Hi Eran,
    I was wondering if you could explain a little detail from the OAuth2 MAC Token drafts to me?
    Since “draft-hammer-oauth-v2-mac-token-04″ there is the new “ext” parameter in the Authorization Request Header included. I figured, it is not for any resource related parameters, because those I could include in the request body and therefor also in the bodyhash. But if it is not resource related and its not OAuth specific (since it is not explained in the drafts), what is this “ext”-parameter then for?

    Thank you!
    Christoph

  7. Hi,

    I’m trying to find a standardized as future-proof as possible way to handle primarily authentication in a SoA environment of RESTful JSON APIs. Basically I need centralized SSO capabilities and a way to avoid having all the APIs handle original end-user credentials. Since this is going to be exposed externally it needs to be as lightweight and easy to implement as possible on the end-user side. With this in mind I set out to find a good standard scheme and ended up with a headache. People in general seem to point at one of the OAuth versions, but I haven’t been able to find support for this use case in OAuth itself? OpenID does seem to fit the use case even though it’s created as a decentralized solution and people seem to complain about complexity. OpenID Connect is maybe promising but very young? CAS/SAML does not seem to fit the bill. I feel a bit lost here, am I missing something about OAuth v2.0? Could you help me out with a pointer here?

    Kind regards,
    Fredrik Widlund

  8. If my native mobile app wants to still use the consumer credentials,
    which flow should I use? Looks like the new user-agent flow is for
    native mobile apps not requiring consumer credentials, but not sure
    what to use if I want to use Oauth 2.0 with consumer creds ala 1.0a
    version?

  9. are there any oauth 2.0 providers that still enforce signatures on top of SSL? is that even possible?

  10. Hi,
    Before I haved test OAuth1.0, Now I’m trying implement OAuth2.0 with my API request,but where can I find the OAuth2.0 source library for .net verstion?
    Could you please help me?Hope there is response from you!
    Thanks,
    Paul

  11. Hello,

    and thanks for this great offer to ask about OAuth. We are currently working on architecture for our platform, where we have one identity provider (server storing users) and multiple resource servers (each solve specific subset of domain logic and store appropriate resources). In some cases it can happen also resource servers would like to talk to each other and that has to happen on behalf of specific user (this we keep in sync using identity provider requests).

    Question is: Is it good idea to share one access token which can be used to let client talk to each resource server but also to use this very same token to do request between resource server themselves? Or its better to establish access token between resource servers if they want to talk together (so one will basically play the role of client)?

    • Each access token is user-specific, unless it is issued to the client without user authorization. I would suggest to use different access tokens, each with the right minimal scope required.

  12. Ok i have read all about oAuth I’m up on it but i can’t figure out something in oAuth 2. Heres the scenario, I develop an app for Android and want to store data into some third-party oAuth’d data storage service on behalf of only myself the app developer. Every model I can imagine requires some authorization token or credential to be shipped in the app that could hypothetically be pulled out by hacking the distributed code. Am i being paranoid or is this not the case? If this is the case how could i know a request is not actually valid but in fact masquerading as my app.

    • There is no way to verify if a call is being made by a specific application. None. If you are distributing an Android application, someone can extract your credentials from it. Because you want to make calls on behalf of the application itself, not a user, you also lose the ability to use users authentication for application validation. So, the short answer is that there is no solution to this problem. You can use a proxy and put the secret there (or access token) but that’s just moving the problem elsewhere because now you have to secure the link between your application and the proxy and its the same story.

  13. Given your answer to my previous question what protects an oAuth user from having data stolen by a malicious app that is masquerading as another trusted app? Doesn’t the app have to be distributed with some app id and secret and aren’t these similarly vulnerable to extraction? I assume the solution is to revoke the access for that app but doesn’t this undermine all third party apps since its a post-facto fix and requires your knowledge of being duped? It also leaves an opportunity for a DOS attack to an app by compromising its secret.

    • Each uses a different algorithm to normalize the request URI. The exact details are too long to repeat here. They are different enough that no code can be reused across the two.

  14. The Introduction to OAuth 2.0 was written in May 2010 and at the end the author expected the RFC by the end of the year. It’s Aug 2011, the current draft is 20, any ETA for the final RFC?

    I’m about to begin a massive project incorporating OAuth. I would much prefer to use 2.0 as I feel vendor acceptance would be greater because of the simplified flows but I don’t want to invest hundreds of man hours with any chance of: “Oops, OAuth 2.0 was a bridge to nowhere…”

  15. Hi Hammer, my name is Gaspar, living in Caracas, give me permission to translate to Spanish OAuht your article on my blog and publish it in referencing your original text?

  16. Hi, We are implementing oauth functionality with JAVA api provided by oauth. Its always giving 401 Unauthorize Error in output.

    Any help will be appreciated.

    Thanks in anticipation.

    Best Regards,
    GTL

    • Many things can cause this. Unfortunately I cannot help with individual implementations but I suggest you reach out to the provider you are trying to connect to for support.

  17. Hello Eran,

    2 questions:

    a)
    According to OAuth 1.0 (RFC) why is it a requirement to use TLS AND the signature (let’s assume one is used) for calls requesting temporary credentials (Section 2.1) and obtaining token credentials (Section 2.3)?

    Would the credentials sent/returned in either call be useful to a “man in the middle” without knowing the client secret which is used to sign calls? Another client which has credentials with the same auth provider could intercept the calls and modify them to make it look like he emitted them via a new oauth_consumer_key and signature but that’s a fairly remote possibility (is it even a possibility?).

    b)
    What is the purpose of oauth_token_secret in OAuth 1.0? It is returned in a response but then never used. Something legacy?

    Thank you,

    /David

  18. since implicit-grant does not require client authentication, for a provider that accepts response-type=token for this purpose in addition to the response-type=code, is there any best practice for a provider to prevent a MITM from simply replacing response-type=code with response-type=token to steal the access token?

    for instance, sample code here:

    https://github.com/herestomwiththeweather/sslstrip/commit/04f17cb867dbaf8625debb64032d351c2c342daa

    this attack depends on intercepting an http page that links to the https page which is often not a problem.

  19. In the Oauth workflow, http://hueniverse.com/oauth/guide/workflow… I don’t understand why do we need both access token and request token. Wouldn’t having only access token be sufficient enough? For example, beppa redirects Jane to faji on its behalf and get the access token afterwards. Can someone please tell me why? Thanks!!

    • Two main reasons: to separate the credentials used on the front channel (passed through the browser) from those used on the back channel (directly between the client and server), and to allow devices incapable of receiving callbacks.

  20. thanks. with this sslstrip attack, if i understand implicit grant right, ssl and callback registration will not help. the attacker attacks http instead of https. for instance, the client could have an unsecure page that has an https link to the provider. the victim receives the unsecure page with https link replaced with an http link. when the victim clicks on the link, the attacker knows he replaced the link so connects to the provider with https to fetch the authorization form. he serves the form to the victim as http. the victim often will not pay attention that he’s viewing an unsecure form, so he submits it. the provider returns a redirect to the registered callback which is intercepted by the attacker who steals the access token and the client never knows anything regarding what just took place.

    one could make the argument that stealing the session cookie is easier. that argument assumes the provider doesn’t mitigate against stolen session cookies. before the attack, if the victim had logged into the provider with ssl, then the provider could return a secure cookie in addition to the session cookie. subsequently, if a provider receives a request on an ssl connection for that user, if the request does not include the secure cookie in addition to the session cookie, the provider knows that this request is from a stolen session. in this case, the weakest link is not the session cookie but the bearer token.

  21. Hello,

    When client send request to resource server, he has to present access token. In protocol its defined that server must validate (expiration, scope) of given access token. The strategy how to handle this is out of scope of the protocol and I am thinking what could be the ways. For sure I can communicate with auth server, which mean a big load for it though. My question is:

    Would it be valid idea to encode expiration and scope of the access token within itself? Could you recommend any information source regarding this topic?

    Thank you very much for any help.
    Petr Janda

    • Encoding information into the token itself is very common and the main reason for introducing the refresh token in OAuth 2.0. One thing to watch out for is that these self-contained tokens must expire because they do not require full database verification on every call. There are many ways to encrypt information, including symmetric and asymmetric cryptography. Given the complexity of the issue, I cannot discuss it in generals.

  22. Have you seen that the link to your /oauth page at http://oauth.net/documentation/ is missing a double-quote (“) at the start of it, which causes the URL to have a trailing double-quote? Any chance you can get them to fix it? Otherwise, how about a redirect from /oauth” (trailing double quote) to /oauth ?

  23. Can we use your oauth to validate between sites while passing data? For example, a user will start on one website and then click a link to view documents on another site. On the second site it does not require a sign, we just need to have a way to verify that the request came from a specific site. Is there a way to do this with oauth?

    Thanks!

    • OAuth deals with delegation. This is more a trusted transaction between two parties via an intermediary (the user). You can use a token in the URI that can be validated by the other site. If you need protection from manipulation of the URI, you can use MAC tokens and include the mac value as another parameter. You might want to look at OAuth 1.0 HMAC-SHA-1 as a way to accomplish this. OAuth 2.0 will make it a bit harder to do without changes. You are probably better off coming up with a simple token format that works for your security needs.

  24. I wish to implement OAuth 2.0 using a multi-level password system. The number of passwords may be 3 or more.
    Can I create this type of workflow in OAUth?

  25. Dear Eran,

    I have just discovered hueniverse.com which I found while searching for simple programmatic interface to Twitter – now learning about OAuth. What a great source of interformation [just made that up then by confusing interactive information - all good].

    I particularly liked the format that you have developed to represent the large range of information you host – would you be so kind as to let me know what WordPress theme you are using and any general modifications you may have needed to apply to get your site looking so great? I’m in a place where I need better ways to capture and share the ideas and information.

    Many thanks
    Jonno

  26. In case Authorization Server and Resource Server are implemented separately (unlike Facebook or Twitter where Authorization Server and Resource Server are same)

    Would you please throw some light on validation needs to be done at Resource Server before allowing access to REST API

    1. Let say In Access token validation response Authorization Server would say that Access token is issued to “Client 1″ , Scope values are “XYZ PQR” and Some Resource Owner identifier such as userid
    2. OAuth Client needs to register at Resource Server as well so that it can trust only specific OAuth clients
    3. Also i understand that Resource Server would look at scope values as well before accessing particular REST API

    I would appreciate your response.

    Thanks
    Aakash

  27. I’m using classic ASP and need to make OAUTH with YAHOO to get contact of a user that allow my app.
    I can make working arriving to get a token but i can’t make the api request because yahoo api is HTTP and not HTTPS so i must use oauth_signature_method =”HMAC-SHA1″
    I can’t get a script function that create me this oauth_signature in CLASSIC ASP.
    Can you help me ?
    Thanks,
    Marco

  28. Hi, I am trying to implement twitter OAuth for my application but am running into errors every time i try. I have downloaded and am using the library of Abraham OAuth coding. At the moment every time i run my application it presents me with a link to sign into twitter but when clicked gives me the error message ” Cannot sign into twitter, try again later” which is the error handling message of course, but i don’t understand why i am being faced with this…any help please? Other attempts of OAuth have taken me to the twitter website and given me the message that there are no request token for this page, but the token information has been added into the coding already. Help would be much appreciated. Thanks

  29. hi eran,

    congrats on your new job and good luck @ walmart!

    i’m working on a project where we are trying to use oauth (2) for authentication (click this button to sign in using your ‘xyz-oauth-provider’ account).

    in this use-case, the client (user) enacts the oauth handshake with the provider, is prompted to login to the provider, is prompted to grant access to some scope of provider resources, and if all goes well, the client successfully gets an access token and uses it to call an api at the provider to get some basic account information which it uses to set up a local session.

    when the client’s local session is complete it ‘goes away’ meaning it tosses the access token.

    when the same user comes back (say the next day after the session with the provider has expired) via the client to run through the same process again, they are prompted to login to the provider again, but they are also prompted to grant access again.

    my initial instinct is that the provider should *not* prompt the user to grant access again (and let’s just simplify the question for now by saying that the initial grant should have no expiration so that the refresh flow isn’t in play).

    ok, so that is the setup for my question which is:

    does the spec cover this situation in terms of specifying how a provider should behave in this case?

    i.e. is it the client’s responsibility to hold onto an access token and not ask for one twice (in which case i’m unclear how to do repetitive sign-on’s using oauth),
    *or* is it the provider’s responsibility to not prompt the same user if they have already granted access (and possibly return the same access token that they were initially issued).

    i hope my questions are relatively clear, but i’d be happy to clarify if not.

    thanks! tony…

    • These decisions are all part of the provider’s architecture and all options mentioned are perfectly valid. I would optimize the user experience to make the most sense.

  30. I am trying to access Yahoo’s contact API and I’m not able to get request token by giving URI request using my consumer key and secret.It is showing “file not found” while giving request.

  31. Hi … Question:

    I want to make an App on a Fanpage where people can write there experience on a service. when published … this experience is also posted on there own timeline as their status update …

    Is this possible with OAuth ?

    • I’m not familiar with Fanpage but if they provider an OAuth API to do this, you can register a client with them and perform normal OAuth authorization on your server then post to their status update.

  32. Can you recommend some sources for getting up to speed in JavaScript for node?

    Also, what are your thoughts about coffeescript?

    • There are plenty of books and resources on JS, but you should be able to just pick up a few of the node exmaples and run with them. http://howtonode.org/ is a great place to start. As for CoffeeScript, I have no experience with it, but generally don’t see the point.

  33. Did you get your writeup done on express with oauth, came across mention of this topic on your excellent writeup on nodejs, express and socket.io

    Appreciate the pointer.

    Thx

  34. When working with node.js, what NPM module do you recommend for oauth 1 and 2? Or do you just write your own?

  35. What is going on with OAuth 2.0 and what has happened to this blog it has been dead for 6 months now… Did you guys give up and if so why? Please start posting stuff again thanks.

  36. Hi!
    1. How can you change redirection_uri ? “Evil user takes the authorization endpoint URI and changes the redirection to its evil site.”

    2. If victim user doesn’t have session? “Evil user tricks victim user to click on the link and authorize access (using phishing or other social engineering methods).”

  37. Hello,

    at first: great beginners guide. :-) It helps me a lot to understand, how OAuth works and what kind of information be shared during this workflow. But the whole guide is only designed for web based applications.

    My problem is, how I can use OAuth in desktop applications? Okay, to request an request-token via http request is no problem, but usually the user is redirected to an authorization-url on which he has to submit my app (e.g. on twitter, facebook, dropbox, etc.). This step is also no problem … I can use a simple browser component to display this url. And now my real problem: in web based applications a user will be redirected to an callback url, after submitting my app. In desktop applications no callback url exists and now I don’t know, how to continue the workflow … :-|

    Can you give me a short instruction or some help to solve this problem?

    kind regards,
    Chris

    • There are a few options. The landing page can tell the user to go back to the application, or the desktop application can use a web view inside and control that. There are also ways to check for changes in the browser title and use that.

  38. Is OAuth 2 + signatures absolutely impossible to be made ‘secure-enough’ over http?

    I couldn’t find any information on signatures in OAuth 2 so I couldn’t determine how much signatures protect OAuth nor if there was information that could be made secure by introducing a single secure channel on the side for one piece of information.

    This is the theoretical model I’m working under:
    - An open source piece of web software has an API to it and wants to use OAuth so that users aren’t handing their passwords to 3rd parties, and can safely locally deal with 3rd parties that go rogue
    - This open source software is installed on thousands of different websites on the internet
    - There are also many different clients that would like to use OAuth so that they can do things using the open source software’s api on many different sites

    These sites being on http is an inevitable fact. It is absolutely impossible to get them to all use HTTPS (not without fixing HTTPS’ broken trust structure and getting everyone to use something like Convergence; which is a goal of it’s own separate from OAuth). Many are small sites which simply have absolutely no budget for SSL at all.

    So given this fact I cannot change the use of SSL on these sites. And given the fact that since these sites already vulnerable to BrowserSite MITM attacks. I would ‘at-least’ like to make OAuth work for these sites without introducing Web AppSite MITM attacks on authentication.

    The big issue with these of course is that dealing with an infinite number of clients and an infinite number of sites the clients must rely on discovering the site the first time they see it instead of being pre-registered with secure information. But because the site is only available over http the it cannot transmit the information needed for signing, etc… to the client with a guarantee that it actually came from the server.

    My thought for that issue was to use a separate trusted path that could verify one bit of information the server needs to send to the client.
    The idea went something like:
    - The server sends a public key to the client (http)
    - The client contacts a central trusted party and asks it to verify the public key (over https this time)
    - The server uses some method to ensure that the public key is the correct one for the site (undefined)
    - After the public key is validated it’s either used somehow in OAuth or used that to communicate a shared key that can be used one time to exchange the secret information needed for signatures to work.

    The idea here of course is that by adding in a separate server into the mix even though there are 1000 websites that we can’t get ssl certificates for we can get a single ssl certificate for 1 trusted server and then use that to validate communication between the web app and the many sites.

    On the (undefined) part on checking the public key. My first idea was the server would be a registry of all sites and each would have a registered public key. Then the server would just compare against that. But then I remembered Convergence and thought of applying the fundamental idea there to this. Clients contact 4 servers at different locations. Each of these servers verify the public key by looking it up themselves and comparing. And then if they all say it’s ok the key is validated.

    • Without diving into all the details above, OAuth 2.0 does not function without TLS for its token exchange endpoints. Once you have a token, you can use/define a token type that provides HMAC-like security over non-TLS. However, the working group has not made any progress on MAC tokens and at this point it is unclear if they will even finish it. If you are limited with TLS access, use OAuth 1.0.

Comments are closed.