Re: [oauth] interop and multipart posts: php vs. ruby
On Oct 13, 2010, at 6:41 PM, spidaman wrote: We've been working with a ruby client (uses the latest gem from http://github.com/oauth/oauth-ruby) that hits an API implemented with the php library at http://oauth.googlecode.com/svn/code/php/OAuth.php integrated in. Normal GETs and POSTs seem to work fine but theres a file upload API we're trying to work out but haven't yet figured out a way to get the ruby Net::HTTP requests signed in way that the php OAuth server will accept. I'm not clear on what the accept practice is here. Example I've looked thus far have been ineffective: * http://wiki.openstreetmap.org/wiki/OAuth/Examples * http://github.com/archiloque/rest-client ...the signature is always rejected by the php library. Has anyone else figured how to get multipart POSTs posted to that php library to signed acceptably and post some code? I've managed to get the JS library to sign requests for the PHP library, yeah. The main thing to be careful of is that the PHP library ignores all POST arguments if the content-type of the request isn't application/x-www-form-urlencoded (as per the spec) The content-type likely wont be with file-uploads, because you are likely to have multipart encoded those So what I did was transfer all the parameters I wanted transferred as eitherGET or header parameters, and then have the POST-body contain the file which is then unsigned -Morten (Maintainer of the PHP library in question) -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] Usage of Javascript Client
Iirc there isn't a terrible lot of documentation on the Javascript library hosted on oauth.net.. I might be wrong though.. You can try and see if you can figure out how to use it by looking at existing uses of it, i.e. my explorer: http://sevengoslings.net/~fangel/oauth-explorer/ A more simple example of usage is this sniplet: http://gist.github.com/338583 But keep in mind that no browsers allow XHR requests to other domains than the current one, so usage is kinda limited unless of course you are developing AIR applications or something similar to that.. -- Also remember that there is no signature difference between 1.0 and 1.0a, it's only the authorization flow that has changed, so you should be able to work your way from any documentation on how to use it for 1.0, if you can find that.. -Morten On May 8, 2010, at 6:03 PM, Arunoda Susiripala wrote: Hello, I want to know how OAuth 1.0a Javascript client can be used. Actually I wanna know is there any documentation for that. thanks -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en. -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
Re: [oauth] RSA signature sample
I have run the RSA-SHA1 tests as part of the unit test for the php library.. They do indeed compute correctly to the values listed.. (I only test on the SBS compute up to the signature listed, the tests doesn't build the SBS for themselves, but the building of SBS is thoroughly tested elsewhere, so it shouldn't matter) -Morten On Dec 9, 2009, at 9:23 AM, Hubert Le Van Gong wrote: Hi Folks, Has anyone confirmed the RSA-SHA1 signature example that is shown on the test case (http://wiki.oauth.net/TestCases)? I'm getting a different signature (and the use of vacaction.jpg instead of vacation.jpg as parameter makes me wonder... Otherwise are there any other RSA-SHA1 test case out there? Cheers, Hubert -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/oauth?hl=en . -- You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oa...@googlegroups.com. To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/oauth?hl=en.
[oauth] Re: which php libraries are people using?
Hi, There is nothing missing in the http://oauth.googlecode.com/svn/code/php/ library to implement either a consumer or a service-provider.. Obviously you need to code up your own data-storage and add in the hooks at the pages you want to be your endpoints, but this is just so you have full flexibility or where and how do to stuff.. For a fully working sample implementation of a service-provider, you can see the code for my OAuth Playground http://github.com/fangel/oauth-sandbox Specifically the data-storage: http://github.com/fangel/oauth-sandbox/blob/master/library/DataStorage.php and the end-points page: http://github.com/fangel/oauth-sandbox/blob/master/api.php -- I need to fix a bug related to interoperability with Joe Stumps Python library, after which I will get all my patches submitted.. I just need to have some free time to do it.. -Morten On Nov 12, 2009, at 3:54 AM, rob ganly wrote: hi all, i'm currently implementing the version that joseph mentioned, i.e. http://oauth.googlecode.com/svn/code/php/ i need to implement both a consumer and a provider. obviously the most involved part is creating the provider. obviously there are a few gaps to fill in the above library before it can be fully implemented and it is a bit of a worry that it has pretty stagnant for 6 months (although i note morten's comments on recent activity). however seeing as it doesn't yet support 1.0a and requires some extra coding in order to do so i think that i might actually switch to using the other lib that joseph mentioned: http://code.google.com/p/oauth-php/ it seems there's still the lack of a distinct leading library complete with documentation and examples. thus, i'd be interested in learning what lib. people would choose if they personally were implementing both a provider and a consumer? best, rob ganly On Nov 11, 7:54 pm, Nicholas Granado ngran...@gmail.com wrote: I don't know if anyone has mentioned EpiOAuth. http://github.com/jmathai/twitter-async --- Nicholas Granado twitter: heatxsink web:http://nickgranado.com email: ngran...@gmail.com On Wed, Nov 11, 2009 at 11:40 AM, Melvin Carvalho melvincarva...@gmail.comwrote: On Wed, Nov 11, 2009 at 5:58 PM, camilo_u morci...@gmail.com wrote: There is a Zend Framework proposal currently testing called Zend_OAuth: http://framework.zend.com/wiki/pages/viewpage.action?pageId=37957 You can take a look at the code here: http://framework.zend.com/svn/framework/standard/incubator/library/Ze ... One of the proposer, Pádraic Brady, has a sample implementation with Twitter: http://blog.astrumfutura.com/archives/411-Writing-A-Simple-Twitter-Cl ... Also recently came across this twitter impl. also on github http://github.com/abraham/twitteroauth As far as i know it's ready with the OAuth Core 1.0 Revision A, and hopefully it will be availabe on the Zend Framwork 1.10, so this will be a very common library soon. Regards, Camilo Usuga On 10 nov, 16:56, Jeff Hodsdon jeffhods...@gmail.com wrote: There is also a PEAR library,http://pear.php.net/package/HTTP_OAuth , which has classes for being a provider. -jeff On Nov 6, 2009, at 8:21 AM, Joseph Smarr wrote: Thanks Morten. I'd really encourage you to finish up those patches and submit them, since I think a lot of people do use that OAuth library. I'm happy to do a code review or otherwise take a look at it if that's useful to you. Thanks, js On Fri, Nov 6, 2009 at 12:34 AM, Morten Fangel fan...@sevengoslings.net wrote: Hi, I did some of the most recent patches on thehttp:// oauth.googlecode.com/svn/code/php/ library.. And speaking of two-legged and rev. a. - I actually have done work on those, I just haven't had time to finish up on the work (but they are running on the OAuth Sandbox which can be found athttp://oauth-sandbox.sevengoslings.net - so it does work) Just to let people know that the library isn't dead.. ;) -Morten On Nov 5, 2009, at 9:49 PM, Joseph Smarr wrote: It seems like there are several actively maintained PHP OAuth libraries, and it's not clear to me which are most up-to-date and/ or widely used. The oauth.net/code page mainly featureshttp:// oauth.googlecode.com/svn/code/php/ which hasn't been updated since May 18, 2009. There's alsohttp:// code.google.com/p/oauth-php/ which looks more complicated but also more up-to-date. And there's alsohttp://pecl.php.net/oauthwhichis a C extension for OAuth that it looks like Rasmus et al have bene updating recently. Personally, I like (and use) http://oauth.googlecode.com/svn/code/php/ because it's simple (just one file), and I believe shindig-php uses it too, but I don't think it has support for OAuth 1.0a or two- legged OAuth, both of which are very standard now. I also recall fixing a bunch of bugs in it that may or may not have ever landed in the tree. So, should I add 1.0a
[oauth] Re: which php libraries are people using?
On Nov 12, 2009, at 8:02 AM, rob ganly wrote: hi morten, thanks for your reply. i recognise that there's nothing 'missing' from the library but it requires a fair bit of complimentary coding to be done in order to implement it, hence 'there are a few gaps to fill', however i can appreciate your point regarding the hooks and data-storage. Correct, there are a few gaps to fill.. But they are there for a reason what about 1.0a, does it support that yet? if not do you know if anyone's developing a patch for it? The version of the OAuth.php-file in that GitHub repo does support 1.0a, yes.. It also supports two-legged (although it might not be the final api to do so.. I just hacked it in) When I get time I will get the official repo back up to date with all the changes I've made to create the sandbox.. -Morten rob On Nov 12, 3:36 pm, Morten Fangel fan...@sevengoslings.net wrote: Hi, There is nothing missing in thehttp://oauth.googlecode.com/svn/code/php/ library to implement either a consumer or a service-provider.. Obviously you need to code up your own data-storage and add in the hooks at the pages you want to be your endpoints, but this is just so you have full flexibility or where and how do to stuff.. For a fully working sample implementation of a service-provider, you can see the code for my OAuth Playgroundhttp://github.com/fangel/oauth-sandbox Specifically the data-storage:http://github.com/fangel/oauth-sandbox/blob/master/library/DataStorag ... and the end-points page:http://github.com/fangel/oauth-sandbox/blob/master/api.php -- I need to fix a bug related to interoperability with Joe Stumps Python library, after which I will get all my patches submitted.. I just need to have some free time to do it.. -Morten On Nov 12, 2009, at 3:54 AM, rob ganly wrote: hi all, i'm currently implementing the version that joseph mentioned, i.e. http://oauth.googlecode.com/svn/code/php/ i need to implement both a consumer and a provider. obviously the most involved part is creating the provider. obviously there are a few gaps to fill in the above library before it can be fully implemented and it is a bit of a worry that it has pretty stagnant for 6 months (although i note morten's comments on recent activity). however seeing as it doesn't yet support 1.0a and requires some extra coding in order to do so i think that i might actually switch to using the other lib that joseph mentioned:http://code.google.com/p/oauth-php/ it seems there's still the lack of a distinct leading library complete with documentation and examples. thus, i'd be interested in learning what lib. people would choose if they personally were implementing both a provider and a consumer? best, rob ganly On Nov 11, 7:54 pm, Nicholas Granado ngran...@gmail.com wrote: I don't know if anyone has mentioned EpiOAuth. http://github.com/jmathai/twitter-async --- Nicholas Granado twitter: heatxsink web:http://nickgranado.com email: ngran...@gmail.com On Wed, Nov 11, 2009 at 11:40 AM, Melvin Carvalho melvincarva...@gmail.comwrote: On Wed, Nov 11, 2009 at 5:58 PM, camilo_u morci...@gmail.com wrote: There is a Zend Framework proposal currently testing called Zend_OAuth: http://framework.zend.com/wiki/pages/viewpage.action?pageId=37957 You can take a look at the code here: http://framework.zend.com/svn/framework/standard/incubator/library/Ze ... One of the proposer, Pádraic Brady, has a sample implementation with Twitter: http://blog.astrumfutura.com/archives/411-Writing-A-Simple-Twitter-Cl ... Also recently came across this twitter impl. also on github http://github.com/abraham/twitteroauth As far as i know it's ready with the OAuth Core 1.0 Revision A, and hopefully it will be availabe on the Zend Framwork 1.10, so this will be a very common library soon. Regards, Camilo Usuga On 10 nov, 16:56, Jeff Hodsdon jeffhods...@gmail.com wrote: There is also a PEAR library,http://pear.php.net/package/HTTP_OAuth , which has classes for being a provider. -jeff On Nov 6, 2009, at 8:21 AM, Joseph Smarr wrote: Thanks Morten. I'd really encourage you to finish up those patches and submit them, since I think a lot of people do use that OAuth library. I'm happy to do a code review or otherwise take a look at it if that's useful to you. Thanks, js On Fri, Nov 6, 2009 at 12:34 AM, Morten Fangel fan...@sevengoslings.net wrote: Hi, I did some of the most recent patches on thehttp:// oauth.googlecode.com/svn/code/php/ library.. And speaking of two-legged and rev. a. - I actually have done work on those, I just haven't had time to finish up on the work (but they are running on the OAuth Sandbox which can be found athttp://oauth-sandbox.sevengoslings.net - so it does work) Just to let people know that the library isn't dead.. ;) -Morten On Nov 5, 2009, at 9:49 PM, Joseph
[oauth] Re: which php libraries are people using?
Hi, I did some of the most recent patches on the http://oauth.googlecode.com/svn/code/php/ library.. And speaking of two-legged and rev. a. - I actually have done work on those, I just haven't had time to finish up on the work (but they are running on the OAuth Sandbox which can be found at http://oauth-sandbox.sevengoslings.net - so it does work) Just to let people know that the library isn't dead.. ;) -Morten On Nov 5, 2009, at 9:49 PM, Joseph Smarr wrote: It seems like there are several actively maintained PHP OAuth libraries, and it's not clear to me which are most up-to-date and/or widely used. The oauth.net/code page mainly features http://oauth.googlecode.com/svn/code/php/ which hasn't been updated since May 18, 2009. There's also http://code.google.com/p/oauth-php/ which looks more complicated but also more up-to-date. And there's also http://pecl.php.net/oauth which is a C extension for OAuth that it looks like Rasmus et al have bene updating recently. Personally, I like (and use) http://oauth.googlecode.com/svn/code/ php/ because it's simple (just one file), and I believe shindig-php uses it too, but I don't think it has support for OAuth 1.0a or two- legged OAuth, both of which are very standard now. I also recall fixing a bunch of bugs in it that may or may not have ever landed in the tree. So, should I add 1.0a and 2-legged support to this lib? If so, will someone review and patch it and/or make me a committer? Has anyone else already made these updates and just not shared it back? Or is one of these other libraries now the de facto standard PHP lib, in which case shouldn't it be listed on oauth.net/code under PHP? Thanks, js --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Can someone explain 6.2.3. Service Provider Directs the User Back to the Consumer from spec rev. 1A
I'll try to do my best to explain it. With callbacks there is, from a users perspective, no difference. After the user authorizes the app, the user is sent back to the consumer like http://consumer/post_authorize?oauth_token=xoauth_verifier=y The consumer then makes a background-call to change the request -token for an access-token sending along the verifier. And you're done. So there is no difference from the user perspective, except the one extra parameter on the callback url. From a security perspective the changes are extensive. Because the post_authorize url on the consumer cannot be polled with the token by a spoofer, because he won't know the verifier code. Only the user who was redirected from the SP and hence gave the permission will have the verifier. Without callbacks the SP after authorizations will now say something like You can now go back to your app, punch in the verifier YYY and hit OK instead of the old You can now go back to your app and hit OK. The app then has an input field for the verifier code, and after proceeding it will exchange the request-token for an access-token while sending in the verifier code. -- Did that clear it up for you? -Morten On Jul 1, 2009, at 9:01 PM, Kelvin wrote: So does that mean the following oauth_verifier will be sent to Consumer and User for User to manually verify the call back? I'm confused how oauth_verifier works with / without callback value. Can someone explain in more detail how it supposes to work ? thanks. After the User authenticates with the Service Provider and grants permission for Consumer access, the Consumer MUST be notified that the Request Token has been authorized and ready to be exchanged for an Access Token. If the User denies access, the Consumer MAY be notified that the Request Token has been revoked. To make sure that the User granting access is the same User returning back to the Consumer to complete the process, the Service Provider MUST generate a verification code: an unguessable value passed to the Consumer via the User and REQUIRED to complete the process. If the Consumer provided a callback URL (using the oauth_callback parameter in Section 6.1.1 (Consumer Obtains a Request Token) or by other means), the Service Provider uses it to constructs an HTTP request, and directs the User's web browser to that URL with the following parameters added: oauth_token: The Request Token the User authorized or denied. oauth_verifier: The verification code. The callback URL MAY include Consumer provided query parameters. The Service Provider MUST retain them unmodified and append the OAuth parameters to the existing query. If the Consumer did not provide a callback URL, the Service Provider SHOULD display the value of the verification code, and instruct the User to manually inform the Consumer that authorization is completed. If the Service Provider knows a Consumer to be running on a mobile device or set-top box, the Service Provider SHOULD ensure that the verifier value is suitable for manual entry. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Simplify OAuthCredentials
Hi Mandakini, You want examples on how to to 2-legged consumers or 2-legged service providers in PHP? Currently 2-legged service-providers aren't supported (but easily added by extending OAuthServer). 2-legged consumers would just be your standard consumer where you pass in a blank access token and token secret. (Want it more concrete than that, catch me on IRC (#oauth on irc.freenode.org) Regards Morten On Jun 13, 2009, at 7:16 AM, Mandakini kumari wrote: Hi Thnaks for your quick response. Any luck to get code in php ? or concept how to do it ? On Fri, Jun 12, 2009 at 10:14 PM, John Kristian jmkrist...@gmail.com wrote: Done, in -r1052 of the Java library http://oauth.googlecode.com/svn/code/java/core/httpclient4/ Thanks for the suggestion. On Jun 8, 12:01 pm, Paul Austin paul.d.aus...@gmail.com wrote: Could a new constuctor be added which just accepted a consumerKey and consumerSecret and automatically created the accessor. This would be useful for the 2-legged case. -- Regards Mandakini --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Spec interpretation around section 6 use of request tokens
What about trying to swap a Request Token to a Access Token, but the verifier code is wrong. Does that invalidate the Request Token, or does it just fail and wait for a new request with the correct verifier code? If it doesn't invalidate the Request Token, couldn't an attacker to try all options for verifier codes? If the Request Token is requested with an OOB callback, the verifier will usually be sort so people don't have to manually enter a long string. Regards Morten Fangel On Jun 7, 2009, at 7:17 AM, Eran Hammer-Lahav wrote: It means that once an Access Token was given using a Request Token, that Request Token must not be used again – it is invalidated. EHL On 6/6/09 9:45 PM, Andrew Arnott andrewarn...@gmail.com wrote: In section 6 of the OAuth spec (either 1.0 or 1.0a versions -- they're the same here), I see the following: Request Token:Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime. I'm wondering what this MUST only be used once is intended to limit. Is it sufficiently compliant to say that the SP will only ever give out the Access Token for a given request token once? Or does it mean that a desktop consumer app cannot keep polling the server with its request token until it finally gets an access token when the user finishes authorizing the request token? -- Andrew Arnott I [may] not agree with what you have to say, but I'll defend to the death your right to say it. - S. G. Tallentyre --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: UK OAuth developers
Hi David What language are we talking here? Each library's API are kinda unique, so if you're looking for help doing your implementation you need one that knows the specific languages library. (And if you're just looking for some quick intro on OAuth myself and a few others are in IRC (#oauth at irc.freenode.org) and will happily answer questions about general use-cases there.. Regards Morten On Jun 7, 2009, at 3:37 PM, David King wrote: Hey everyone! I've been reading the OAuth specs, examples and code for sometime now and am having a bit of a tough time understanding how to start writing my own OAuth Service Provider and really need some help from a UK OAuth developer! Background: I'm setting up a new business in association with the Institute of Digital Innovation at Teeside university. We have a 4 mentoring slots with a budget of £250 / half day and I really need to find a LAMP developer with experience with OAuth (and preferably security / authentication in general) to do a mentoring session with me. Please send a reply, or drop me a line with your details! David King da...@1daylater.com @oopstudios (Twitter) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: UK OAuth developers
Well bugger me then.. Righty-oh, I'll just crawl back into my cave then.. (On a side-note, I am terribly efficient with the PHP library, but living in Denmark. I like flying though) -Morten On Jun 7, 2009, at 5:13 PM, Shannon Hicks wrote: He said LAMP :) Shan On Jun 7, 2009, at 10:07 AM, Morten Fangel wrote: Hi David What language are we talking here? Each library's API are kinda unique, so if you're looking for help doing your implementation you need one that knows the specific languages library. (And if you're just looking for some quick intro on OAuth myself and a few others are in IRC (#oauth at irc.freenode.org) and will happily answer questions about general use-cases there.. Regards Morten On Jun 7, 2009, at 3:37 PM, David King wrote: Hey everyone! I've been reading the OAuth specs, examples and code for sometime now and am having a bit of a tough time understanding how to start writing my own OAuth Service Provider and really need some help from a UK OAuth developer! Background: I'm setting up a new business in association with the Institute of Digital Innovation at Teeside university. We have a 4 mentoring slots with a budget of £250 / half day and I really need to find a LAMP developer with experience with OAuth (and preferably security / authentication in general) to do a mentoring session with me. Please send a reply, or drop me a line with your details! David King da...@1daylater.com @oopstudios (Twitter) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Confusion in Identity Management Land
In short: OAuth and OpenID exists to cater to two different needs. OpenID is authentication (verify that your login is correct) OAuth is authorization (ensure you have the right to a protected resource) So OpenID is something you can use as a alternative to having user +password stored for each user on each site. OAuth is a way for a user to grant a someone (eg a photo printing service) access to your private resources (eg your photos) over at some other site (eg a photo sharing site), without the first one knowing your credentials to the second.. (However some people do use OAuth as some sort of authentication- scheme, like Twitter does, but this is not the expected use-case for OAuth and OpenID would imho be better suited at the job) Did that clear it up (or even make sense?) -Morten On May 21, 2009, at 7:08 AM, GenghisOne wrote: Is OAuth the same thing as OpenID? If not, are there any documents out there that succinctly describe how many of these things are out there and how they are different? Thx. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: Version Preference
As I stated elsewhere, I think it's easily possible to auto-detect revision A without modified version-parameter, so I would go for option 1. I wouldn't oppose to option 3 either. We should either keep in line with the version is for the signature method, not the flow-rule (option 1) or bump the minor version (option 3).. -Morten On May 1, 2009, at 10:25 AM, Blaine Cook wrote: We need to build some consensus around the version preference. As I see it, there are several options: 1. 1.0 Rev A with no version string change (i.e., oauth_version=1.0) 2. 1.0a (with oauth_version=1.0a) 3. 1.1 Please indicate your support for one of these options, and try to refrain from arguing your case here. The other thread remains open for that purpose. I would especially like to hear from library implementers here, and others who have not voiced their opinions in the other threads. b. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth Core 1.0 Rev A, Draft 1
I was say that 'oob' would mean that the new auth.-flow, which means that any callback received on the authentication-page would be ignored.. A non-'oob'/non-url/non-existing callback received in the request-token step means the usual flow, which means that callbacks received on the auth.-page should be respected.. This would preserve backwards compat, while plugging the hole for any new clients.. Or, that's how I understood the reason for the 'oob'-value? But why 'oob' ? it just reminds people of either noob or boob.. does it have any certain value or was it just chosen for fun? -Morten On Apr 30, 2009, at 1:19 PM, Blaine Cook wrote: Looks good, with the exception of the 'oob' value – why not just say that an empty OR absent callback parameter fulfills the same role as 'oob'? There are also plenty of service providers that require static configuration of the callback, and in those cases the callback parameter would be absent when obtaining the request token. b. On Thu, Apr 30, 2009 at 8:25 AM, Eran Hammer-Lahav e...@hueniverse.com wrote: Please review: http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/1/oauth-core-1_0a.html I did my best to keep the changes to a bare minimum and to avoid any editorial changes to make comparison trivial: http://code.google.com/p/oauth/source/diff?spec=svn992old=991r=992format=unidiffpath=%2Fspec%2Fcore%2F1.0a%2Foauth-core-1_0a.xml Some notes: 1. This is not ready for code! Please wait for a second draft before you start making changes to libraries or your implementations. Given the small scope of this change, I think it will be stable in the next draft. 2. Since this change is small, I would like to give it a short review period before another draft. Please submit all your comments by May 8th. 3. This draft is missing a few new Security Consideration sections. It will be added in the next draft but might be shared earlier on the list. 4. This revision does not change the value of the oauth_version parameter which remains '1.0'. The reason for that is that the version has nothing to do with the authorization workflow. It is specific to the signature methods and parameter delivery methods. Telling the difference between the two revisions is very simple: look for an oauth_callback parameter in the Request Token step. 5. The reason why the oauth_callback parameter is now required with a 'oob' value for manual entry is because the presence of the oauth_callback parameter in the first step is the only indication which flow is being used. Since some platforms have problem with empty parameters (they are dropped or not sent on the wire), I decided to try and define a non-URL value (also made the URL absolute). NOTE: Do no suggest ANY editorial changes that are not specific to the changed sections. This is NOT an opportunity to improve the specification. If you want to improve the specification in general, please provider feedback to the Editor's Cut version. Tomorrow, I will post an updated Editor's Cut version as well as an update to the IETF draft to include these changes. EHL --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: how to be oAuth service provider enabled?
Sorry - I was replying 2 minutes after waking up, and going back to sleep after hitting send.. I meant to say I was doing a how-to implement service-provider.. or well.. I can do both.. ;) And you can do the implementation without changing the library.. In short 1) Implement a class that has the same functionality as the data storage class 2) Create the end-points for request_token, authorize, access_token 2.1) request_token should use the server's method for getting a new request-token 2.2) authorize should get the request-token from the request, then set the request-token as authorized 2.3) access_token should use the server's method for exchanging to a access-token 2.3.1) your data storage class for exchanging should remove the request-token 3) Create API endpoints 3.1) Use the server's verify-request method to check the validity of the OAuth parameters The longer, with code examples, explanation will have to wait till the weekend.. -M On Mar 6, 2009, at 9:18 AM, Grace Cai wrote: Thanks for responding! But I need a how-to on service provider not a consumer implemention. I am data/service provider. I had a look at the librarys, but looks a bit fuzzy to me. It looks like I can't use it directly without modifications. I have to customize the library to make it work on our own server, is it correct? Thanks and regards Grace On Fri, Mar 6, 2009 at 4:20 PM, Morten Fangel fan...@sevengoslings.net wrote: You can try and look at the example code in http://oauth.googlecode.com/svn/code/php/example/ I've been wanting to write a how-to on consumer implementation, and it might as well be this weekend I do.. So, look at the examples and/or wait a few days till I've written a proper how-to.. Regards Morten On Mar 5, 2009, at 11:54 PM, Grace Cai wrote: Nobody can help me on this, help! help! On Tue, Mar 3, 2009 at 3:33 PM, Grace grace...@gmail.com wrote: Hi everyone, I am new to oAuth opensocial. A bit confused on oAuth issue. I am trying to build an opensocial api that enable end user add in the google, via this api, they would be able to access the private data on our web application(our server). After reading some docs, I now understand that our server needs to be oAuth enabled. However, I am a bit confused, how to be oAuth service provider enabled? Do I need to write my own codes to implement oAuth or is any library that I can used directly? I am using php on our server. Thanks in advance! -- Best Regards Grace --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
[oauth] Re: OAuth for PHP4
The main thing holding back a php4 backport is the use of Exceptions.. Currently the php-library (as well as the oauth-php library iirc) uses Exceptions when somethings goes wrong, or a parameter is missing or similar.. So you would need to rewrite all functions throwing exceptions to returning false or null instead. You would then have to work through all functions calling these functions and add a check to see if the returned value != false/null, and in that case return false/null itself. You would then have to work though all the functions calling _those_ functions etc etc. You might try and experiment with using trigger_error on a sufficiently high error-level that it aborts execution, but low enough for you to catch it with set_error_handler.. (And then you would have to rename all the __construct functions into the name of their respective classes - but this is easily done) Regards Morten On Mar 5, 2009, at 4:35 PM, Zhihong wrote: Does anyone have an OAuth library that works in PHP4? We have a client who is entrenched in PHP4. They already use OpenSSL so all the crypto functions are there. I don't think it would be hard to port current OAuth library to PHP4, is it? Thanks! Zhihong --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups OAuth group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~--~~~~--~~--~--~---
