I'd still like to know if there are any examples of SSO using OAuth to
sign into gmail - I have found some examples for use with Twitter, but
not Google.
On Mar 29, 11:31 am, Adam wrote:
> On Mar 26, 4:39 pm, Chris Messina wrote:
>
>
>
> > Why don't you want to d
On Mar 26, 4:39 pm, Chris Messina wrote:
>
> Why don't you want to do OpenID?
>
The problem is that we are currently using CAS as our SSO, and since
we are a large university invested in CAS, we cannot easily switch to
OpenID. If we use OpenID, then a user would have to login to our
system u
We currently use CAS for SSO. I'd like to have SSO into gmail, but do
not want to switch to OpenID. Is it possible to use OAuth to login
users into their gmail accounts? Or is OAuth only meant to retrieve
user data?
I am currently using SignPost to connect to OAuth... if it matters.
Thanks.
-
My understanding is that you do not want to even prompt the user for
their username and password. Effectively you want to set up a, as
mentioned before, valet credential system. It's not the real key,
just enough to make the car go.
To that end we have taken an approach of letting the user know
I am interested in the same thing, 2-Legged OAuth. The link to that thread
appears to be missing? Could you repost it?Or is 2-Legged OAuth, just
regualr OAuth sans the Auth tokens step?, eg Consumer just Signs requests to
the Service Provider, no middle step.
On Fri, Jul 24, 2009 at 6:18 AM,
If you are just doing 2 legged (which it sounds like):
http://groups.google.com/group/oauth/browse_thread/thread/43b31a471453837c
I think this is the way to go about it. I have not received an 'on the
right track' for this, but it should be all you need to authenticate for 2
legged. No Auth token
I agree. "The Request Token has never been exchanged for an Access
Token." isn't explicitly saying one-time only token, but I believe
that is what was intended. Clarifying this line would be sufficient as
would requiring the Service Provider log the User out after any
request token attempt. This f
I think you send a 401 error...
http://lmgtfy.com/?q=Error+401
On Apr 27, 11:42 pm, mdub wrote:
> Section 6.2.3 of the spec says:
>
> If the User denies access, the Consumer MAY be notified that the
> Request Token
> has been revoked.
>
> How does one typically indicate, in the authorization
I can make it.
On Apr 24, 6:12 pm, Leah Culver wrote:
> Hey,
>
> On Fri, Apr 24, 2009 at 5:52 PM, Manish Pandit wrote:
>
>
>
>
>
> > On Apr 24, 2:42 pm, Leah Culver wrote:
> > > Hi all,
>
> > > My eyes hurt from trying to read long email threads. There's quite a
> > > few good ideas for helping
> This isn't really something oauth should mandate. It is up to the provider
> to add this layer of security on their own.
>
> On Sat, Apr 25, 2009 at 3:24 PM, Brian Eaton wrote:
>
> > On Sat, Apr 25, 2009 at 1:11 PM, J. Adam Moore
> > wrote:
> > > The pr
le.
>
> On Sat, Apr 25, 2009 at 3:11 PM, J. Adam Moore wrote:
>
>
>
> > I could Phish the hell out of that. Pop up windows and timed out
> > requests sound like a user nightmare. Not to mention all the extra
> > checking and processing of info. It seems rather hacki
is what I'm getting at -->https://oauth.pbwiki.com/Signed-Approval-URLs
>
> On Sat, Apr 25, 2009 at 2:58 PM, J. Adam Moore wrote:
>
>
>
> > EDIT LAST POST: The second "consumer" I meant to say provider.
>
> > On Apr 25, 12:55 pm, "J. Adam Moore&q
EDIT LAST POST: The second "consumer" I meant to say provider.
On Apr 25, 12:55 pm, "J. Adam Moore" wrote:
> What I should have added was that using my solution, the consumer is
> completely capable of being stupid and giving the consumer a redirect
> that d
o it.
On Apr 25, 12:41 pm, "J. Adam Moore" wrote:
> Logically I find that the only way to guarantee that two different
> users at two different sites are really the same person is to make
> them self authenticate BEFORE establishing a secure communication. By
> having both t
service provider or signed in the authorization request by the consumer.
>
> On Sat, Apr 25, 2009 at 1:43 PM, J. Adam Moore wrote:
>
>
>
> > The idea is that the communication between the Consumer and Provider
> > sites consist of urls that are composed behind use
in one single step like I have outlined in my proposal.
> User logs into provider, grants access, and returns back with the token.
> The less work we do in our flow the less likely an attacker can find a hole.
> The double trip just creates a second chance for an attack.
>
> On Sat, Apr
I'm writing a blog post to explain why I think I have a solution, but
I believe it is as simple as moving the provider login to before the
consumer token generation which is triggered by a provider-side
redirect. This is simply playing keep-away with redirects, but it
arguably works if your goal i
I just wrote a long post that just disappeared. Hmm. Testing...
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To post to this group, send email to oauth@googlegroups.com
To unsubscribe from this grou
l copy, so I should be all set, but
perhaps that will help others out?
I'm surprised this hasn't come up before. Still makes me wonder if
I'm missing anything, but that is looking less and less likely.
I'll go ahead and file a bug report with nginx. Thanks again Mark for
yo
n character when creating
the auth header, and it works just fine when going through nginx.
and the big one is I'm doing something wrong? After all, I know many
people use nginx but I couldnt' find anything about an issue with
OAuth and
20 matches
Mail list logo
