Hi OAuthers, First of all, I think I should introduce myself. I work at Facebook on the Platform team (anything not facebook.com<http://facebook.com>). Before this I was at Yahoo! doing SearchMonkey (semantic web stuff). I've written a few OAuth applications and libraries, both at Yahoo and in my spare time.
For Facebook apps we're going to use your signature scheme with the following changes: * the signature comes before the payload * we used the key 'algorithm' instead of 'alg' and 'expires' instead of 'not_before' * we aren't sending any keys except algorithm, expires, and oauth_token (since we're a special use case) * we named the parameter signed_request because it is the signed part of a request We would love if you could adopt those changes. Then you'd have a real world implementation out the door already :) We plan on launching July 20. Paul Sent from my iPhone On Jul 9, 2010, at 1:39 PM, "Dirk Balfanz" <balf...@google.com<mailto:balf...@google.com>> wrote: On Wed, Jul 7, 2010 at 7:49 PM, Eran Hammer-Lahav <<mailto:e...@hueniverse.com>e...@hueniverse.com<mailto:e...@hueniverse.com>> wrote: Can we get an updated document based on the feedback received? Sure - I just got back from my vacation. I'll read through the thread and update the docs. Cheers, Dirk. EHL On 6/21/10 12:04 AM, "Dirk Balfanz" <<http://balf...@google.com>balf...@google.com<mailto:balf...@google.com>> wrote: </> </> Hi guys, I think I owe the list a proposal for signatures. I wrote something down that liberally borrows ideas from Magic Signatures <<http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html>http://salmon-protocol.googlecode.com/svn/trunk/draft-panzer-magicsig-00.html> , SWT <<http://groups.google.com/group/WRAP-WG/files>http://groups.google.com/group/WRAP-WG/files> , and (even the name from) JSON Web Tokens <<https://groups.google.com/group/WRAP-WG/browse_thread/thread/a99369c4b74d4cd0#>https://groups.google.com/group/WRAP-WG/browse_thread/thread/a99369c4b74d4cd0#> . Here is a short document (called "JSON Tokens") that just explains how to sign something and verify the signature: <http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4>http://docs.google.com/document/pub?id=1kv6Oz_HRnWa0DaJx_SQ5Qlk_yqs_7zNAm75-FmKwNo4 Here is an extension of JSON Tokens that can be used for signed OAuth tokens: <<http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU>http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU> <http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU>http://docs.google.com/document/pub?id=1JUn3Twd9nXwFDgi-fTKl-unDG_ndyowTZW8OWX9HOUU Here is a different extension of JSON Tokens that can be used for 2-legged flows. The idea is that this could be used as a drop-in replacement for SAML assertions in the OAuth2 assertion flow: <http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc>http://docs.google.com/document/pub?id=1s4kjRS9P0frG0ulhgP3He01ONlxeTwkFQV_pCoOowzc I also have started to write some code <<http://code.google.com/p/jsontoken/source/browse/#svn/trunk/src/main/java/net/oauth/signatures>http://code.google.com/p/jsontoken/source/browse/#svn/trunk/src/main/java/net/oauth/signatures> to implement this as a proof-of-concept. Thoughts? Comments? Dirk. _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
