Ah ha. I get it.
That makes sense -- though it does seem like the goal should be to move away
from asking for usernames and passwords.
This, however, speaks to my concept of an account pin, where you could
authorize desktop apps with an easy-to-remember pin that doesn't give you
full account acces
Hi Guys,
I am new to oAuth. I got the "oauth_token" and "oauth_token_secret".
After that I tried to do the authorization part with the following
code.
function authoriseToken() {
try {
netscape.security.PrivilegeManager.enablePrivilege
("UniversalBrowserRead");
}
Thanks for this history Chris. I remember it still being "API
authentication" in the first drafts of the OAuth IPR document; because
it was one of my comments on the doc:)
Here is an example usage. Again, this is more about leveraging the OAuth
signature mechanism than trying to represen
Hmm. Historically the separation came from the way the communities grew up
actually. There were thoughts initially to make OAuth and extension of
OpenID but because I was wary of the politics within the OpenID community, I
pushed for keeping OAuth completely separate and avoid having to do anything
Yep. The entire authentication/authorization discussion is sadly muddled.
The OAuth/OpenID hybrid proposal is adding to the confusion.
Sometimes I feel like we (people who have interest in the two concepts)
maintain there is a difference to justify standards' existence, even if
it's largely an ac
Yes, a digital signature can be used for authentication. SSL/TLS is
one example. OAuth specifies some signing algorithms that could be
used for the purpose.
But it seems dangerous to extend OAuth to do authentication as well as
authorization. Better for OAuth to focus on doing one thing really
we
Sorry to hear it doesn't work. What happened when you tried it?
I've seen it work in Internet Explorer 7 on Windows. But it won't
work if you simply load
http://oauth.googlecode.com/svn/code/javascript/example/AJAX.html
, because the browser won't permit sending requests to other servers
(for
I was having a discussion last week regarding different uses of OAuth
(initially around using OAuth as a binding for SAML messages) and in the
discussion worked through the following use case.
A "client" or user-agent wants to authenticate a user to the user's IdP.
Doing so requires signing an
First, I would argue that "Facebook Connect" is less about
authentication and more about authorization by the facebook user to
allow the 3rd party site to access their facebook data. In this sense,
while authentication can be involved, it's much more directly mappable
to OAuth.
In addition t
Senad wrote:
> I'm looking for possibility to implement user authentication similar
> to Facebook Connect via OAuth. I understand that OAuth is not OpenID
> extension, but as far as understand Consumer can also authenticate a
> user of Service Provider, if Consumer has authorization to access
> us
Jorgito wrote:
>
> Hi! I'm new to this group. I am very grateful for the possibility it
> brings me to ask questions, so thanks in advance ;)
>
> Reading the spec of OAuth there's something whose motivation I can't
> understand. Why distinguishing between a Request Token first, and an
> Access
Hi Razak
I too just found a bug in percentEncode that made Safari create
invalid signatures on certain inputs. I have made a issue and a
patch, you can see if the patch makes it work in IE as well as
Safari..
(Or is the IE broken worse than just this issue?)
http://code.google.com/p/oauth/issues
Hi John,
It's not working in IE browser. Do you have any code which works for
both Mozilla Firefox & IE?.
Thanks & Regards,
Razak K
On Jan 28, 6:10 pm, Razak wrote:
> Hi John,
>
> Thank You very much.
>
> Regards,
> Razak K
>
> On Jan 26, 1:43 am, John Kristian wrote:
>
> > No, OAuth Core do
Hi John,
Thank You very much.
Regards,
Razak K
On Jan 26, 1:43 am, John Kristian wrote:
> No, OAuth Core doesn't permit the consumer's secret to be used as the
> signature, when the signature method is HMAC-SHA1.
>
> A similar example that works
> ishttp://oauth.googlecode.com/svn/code/javas
> Nope! :-) Thanks for bringing it up. I think this is a very useful
> pattern, particularly for developers of desktop applications that are
> clients for a web service.
Great - thanks for having the foresight to include this pattern in
OAuth.
It's going to make things a lot easier.
David
--~--
On Mon, Jan 26, 2009 at 9:20 PM, hallsy wrote:
>
> ...
>
> Of course, the consumer key ends up given to the desktop app so is
> vulnerable. But the consumer secret never leaves the web app, which is
> a better place to keep it.
>
> My question is whether the consumer key is any use without the
>
Oh So close! I'm now getting a 422 error, which means "the server
understands the media type of the request entity, but was unable to
process the contained instructions", so the request itself is valid.
I'll get in contact with Brightkite and try find out what's wrong and
can hopefully provide so
That's great, compiled file - I'll check out your suggestion later.
Thanks again for all your hard work John!
On Jan 28, 6:55 am, John Kristian wrote:
> The Maven build is repaired in -r871.
>
> On Jan 27, 11:04 am, Tane Piper wrote:
>
> > I've downloaded the latest version, but
> > the build k
18 matches
Mail list logo
