[oauth] Re: Getting started with OAuth...
You can generate javadoc like this: svn checkout http://oauth.googlecode.com/svn/code/java/core cd core mvn javadoc:javadoc You'll find the javadoc in target/site/apidocs/index.html. There's a beginner's guide http://oauth.net/documentation/getting-started Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. On Jul 24, 10:53 pm, mw_java michaelwilso...@gmail.com wrote: I looked at the following URLs and noticed that there was no JavaDocs included with these libraries: http://oauth.googlecode.com/svn/code/java/core/ http://spring-security-oauth.codehaus.org http://code.google.com/p/oauth-signpost/ Question(s): (1) What is the best way to get up to speed with the OAuth libraries? (2) Can an OAuth token be expired or revoked? (3) What's the best tutorial / online resource for learning OAuth? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Want to make sure I have this right - oAuth 2 Legged
http://oauth.googlecode.com/svn/spec/ext/consumer_request/1.0/drafts/2/spec.html http://sites.google.com/site/oauthgoog/2leggedoauth/2opensocialrestapi --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Want to make sure I have this right - oAuth 2 Legged
The consumer key, consumer secret and nonce should be unguessable. A
popular choice is bits from a cryptographically strong random number
generator, encoded as letters and numerals. The nonce should not be a
predictable function of other data.
Don't add salt to the signature algorithm. That won't conform to
OAuth. (You might consider the consumer secret to be salt.)
On Jul 19, 5:51 pm, logix812 aventure...@gmail.com wrote:
Now, the $signature could be generated a different way, so long as it
was hashed under the provided oauth_signature_method.
eg (adding a shared salt that both the consumer and the service
provider know about):
$signature = hash_hmac('sha1', $consumer_key.$shared_salt,
$consumer_secret);
Now, in both cases, when the Service Provider receives the request it
can look at the signature, and perform it's own hash, under the same
rules that the consumer generated their hash. Assuming service
providers hash is equal to the signature, the Service Provider knows
the request is signed, and can continue. This is the reason the
consumer does not want to let anyone know what it's secret is. The
$consumer_secret is effectively the password.
Do I have the right idea for oauth_signature/$signature?
oauth_nonce / $nonce, aside from marking request, so they cannot be
used again, this is another place where the request can effective be
signed. so long as both the service provider know how it was created,
so that it can validate it. One possible way to create this value
would then be:
$nonce = hash('md5', $time.$consumer_secret.$consumer_key);
Assuming the service provider knows the Consumer is using $time as
part of the hash(which it will be receiving in oauth_timestamp), it
should always generate a unique value.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
OAuth group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/oauth?hl=en
-~--~~~~--~~--~--~---
[oauth] Re: Getting started with OAuth...
John, Thank you so much for the response! Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. Could you elaborate on what you meant by this? -Mike On Jul 25, 12:17 pm, John Kristian jmkrist...@gmail.com wrote: You can generate javadoc like this: svn checkouthttp://oauth.googlecode.com/svn/code/java/core cd core mvn javadoc:javadoc You'll find the javadoc in target/site/apidocs/index.html. There's a beginner's guidehttp://oauth.net/documentation/getting-started Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. On Jul 24, 10:53 pm, mw_java michaelwilso...@gmail.com wrote: I looked at the following URLs and noticed that there was no JavaDocs included with these libraries: http://oauth.googlecode.com/svn/code/java/core/ http://spring-security-oauth.codehaus.org http://code.google.com/p/oauth-signpost/ Question(s): (1) What is the best way to get up to speed with the OAuth libraries? (2) Can an OAuth token be expired or revoked? (3) What's the best tutorial / online resource for learning OAuth? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Getting started with OAuth...
The OAuth Core spec mandates that service providers enable users to revoke access tokens. And it mentions that a service provider should send HTTP response code 401 when it receives an expired token. However, it says nothing about how a user would ask to revoke a token, why a service provider might revoke a token, when or why tokens might expire, how a consumer can determine that a token has expired or been revoked, or what a consumer should do in these situations. On Jul 25, 3:36 pm, mw_java michaelwilso...@gmail.com wrote: Could you elaborate on what you meant by this? On Jul 25, 12:17 pm, John Kristian jmkrist...@gmail.com wrote: Yes, tokens may be expired or revoked. But OAuth Core doesn't standardize the process. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
