[oauth] Re: load testing an oAuth provider?
Hi Seth, thanks for your reply * pre-generating a list of signed URLs and running them through httperf Could you explain this a bit more? How did you pre-generate URLs? Were you just testing use of the access token, or the full dance to obtain it? I was thinking that it might be useful to hack OAuth support into JMeter in order to be able to use that, but never got that far. Yeah, I was looking at doing this too. It should be possible to write a JMeter plugin, but I needed something a bit faster. What we ended up doing was using PLAINTEXT - with such a simple signing scheme it was reasonably easy to write load runner scripts. We are making the assumption that the extra computation required to do HMAC-SHA1 will not be significant compared to DBA access etc cheers Perryn --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: load testing an oAuth provider?
* pre-generating a list of signed URLs and running them through httperf Could you explain this a bit more? How did you pre-generate URLs? Were you just testing use of the access token, or the full dance to obtain it? I do the dance ahead of time to obtain however many access tokens that I want to use to load test. Once I have those, I plug them into the URL generator which creates signed URLs and outputs them to stdout (rather than executing those queries). At that point, I have a file containing n signed URLs that I can plug into httperf, loadrunner, etc. seth --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Is 4-legged OAuth possible?
Hi, I recently integrated Twitter's OAuth into my site, http://tipjoy.com It's a great user experience and a lot like Facebook Connect. But I ran into a problem when developing our API for Twitter applications to use Tipjoy for payments. OAuth tokens aren't transferable like a username password. For example, a Twitter user on TweetDeck can input a username password, which lets TweetDeck post a picture to TwitPic. If TweetDeck were granted OAuth access to the user's Twitter account, TwitPic couldn't verify the access tokens easily, and couldn't communicate to Twitter with them. How can we power this 4-legged OAuth? Twitter could act as an intermediary, to tell TwitPic that the request from TweetDeck is authorized. I'm told Facebook is coming up with a solution for Facebook Connect. As the environment for social apps becomes more connected, this communication between 3rd parties about users on the OAuth provider become more important. What do you all think? Thanks, Ivan http://tipjoy.com --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Security through obscurity?
Both of you are right. Technically there's no irrefutable way to prevent leaking tokens in desktop apps, so forcing pre-registration is simply a way to get developers to agree not to casually release what qualifies as confidential information. If you do leak said information (i.e. By embedding it in your desktop app) you agree to hold harmless the SP that provided you the token if/when they shut off your key. The two solutions are complements. Whether the legal solution fully recognizes the limitations of technical solution is another story. Chris On 3/25/09, Eran Hammer-Lahav e...@hueniverse.com wrote: That's simply not true. When you manually register an application you agree to legal terms with how you may or may not use the user's data you are accessing and other legal requirements. Without this agreement, users could sue the service provider for bad acts by the application. EHL -Original Message- From: oauth@googlegroups.com [mailto:oa...@googlegroups.com] On Behalf Of Martin Atkins Sent: Wednesday, March 25, 2009 12:28 PM To: oauth@googlegroups.com Subject: [oauth] Re: Security through obscurity? Eran Hammer-Lahav wrote: But it does make the lawyers happy. Maybe the lawyers ought to listen to the technical folks telling them that requiring pre-registration of desktop apps achieves nothing whatsoever. It can't be healthy to have lawyers who believe they have an effective mechanism that is in fact completely ineffective. -- Chris Messina Citizen-Participant Open Web Advocate factoryjoe.com // diso-project.org // vidoop.com This email is: [ ] bloggable[X] ask first [ ] private --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] why not have server generate nonce values
I've been reading up on the oauth specs and when came to the section about nonce and timestamps I wondered why not have the server send the nonce?. Benefits of this: + Server only needs to track the last nonce it sent to validate the next request + Don't need to store every nonce ever used When the server responds back from the previous request it can include the next nonce value in the header. So when we construct our next signature we have our next nonce. Attackers still can't construct a valid signature even if they see the next nonce. So why have the client generate the nonce on the fly? I'm no security professional, so I might be overlooking a flaw with the above method. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---