This is not officially documented, but I'd recommend sticking with Google's
convention of using "anonymous" as the consumer key, and "anonymous" as the
consumer secret.
See bullet point #2:
http://code.google.com/apis/accounts/docs/OAuth_ref.html#SigningOAuth
Allen
On 2/25/10 7:43 AM, "Jeff"
ccess token later if needed.
> Do I actually need to create consumer key/secret for each request or
> the token only?
> What do you think?
>
> Regards,
> Matus
>
> On Feb 22, 2:50 am, Allen Tom wrote:
>> Perhaps a Googler can jump in on this Google allows Oauth ap
Perhaps a Googler can jump in on this Google allows Oauth apps to use
³anonymous² as their consumer key, with ³anonymous² as their consumer
secret. These apps do not need to pre-register for a consumer key.
See bullet point #2 in Google¹s Oauth docs regarding the ³anonymous²
consumer key:
http:/
This is one of the reasons why we simplified signatures in WRAP. Yahoo and
other Service Providers have architectures where incoming requests are
proxied and forwarded the public facing hostname and even the path that¹s
exposed to the consumer can be very different than the origin server ends up
Hi there -
Unfortunately, none of the Yahoo Social APIs support HTTPS. Try again using
HTTP. Did you see HTTPS referenced anywhere in the docs? The Yahoo Contacts
API is documented here:
http://developer.yahoo.com/social/rest_api_guide/contact_api.html
With regards to accessing Yahoo OAuth APIs
If you just want to authenticate Google users and get their name and email
address, then you should consider using OpenID
http://code.google.com/apis/accounts/docs/OpenID.html
Allen
On 12/3/09 3:24 PM, "File4Share" wrote:
> How could i get the logged user info on google ? which scope do i nee
re there any plans to modify the
> consumer extension to remove the restriction on the access token?
>
> Thanks in advance,
> Rob
>
> On Sun, Nov 1, 2009 at 11:34 PM, Allen Tom wrote:
>> Hi Robert,
>>
>> This is actually a very good question. One possible approac
Hi Robert,
This is actually a very good question. One possible approach would be
for the Consumer obtain a 2 legged Access Token by submitting its
Consumer Key and Secret (or signature) to the SP's authentication
service. The auth service will return a 2 legged access token (and
access token
This would make sense for the case where a rich client application
voluntarily exchanges the username/password for a persistent token
credential.
Allen
John Panzer wrote:
> A feature I'd also like to have as a consumer is the reverse operation
> - starting with a broad scope for initial setup
hing. Are there problems
>> (i.e. security concerns) with putting scopes in the Access Token? Perhaps I
>> misunderstood the documentation and the scopes are actually in the Access
>> Token (this appears likely from the way I am understanding your response).
>>
>> Thanks again
Hi Robert,
The text in the Yahoo documentation is not factually correct - however
it doesn't really matter for client developers who are calling our OAuth
protected services.
We currently do not allow developers to change the scopes for their
consumer keys after we've issued them. The slang t
Robert Winch wrote:
> I would like to leverage OAuth without having to hit a database to
> validate each request. In addition, I would like to avoid using public
> key's since the performance is slower and distribution of the public
> keys can be difficult. These requirements have led me to inv
Pelle Braendgaard wrote:
> It just happens
> that due to Yahoo probably being the oldest company involved in the
> process, it is having the hardest time dealing with the concept of
> open.
>
Hi Pelle,
Just to reiterate Eran's followup, Yahoo has been engaged in OAuth from
nearly the beginnin
Yes, I agree, the wording could be rephrased to indicate that the
Consumer's credentials (the consumer secret) as well as the user
credentials Access Token (and access token secret) are not protected
when using PLAINTEXT without HTTPS.
Allen
beckett wrote:
>
> Also, I wonder if in the securi
beckett wrote:
> But if you just use PLAINTEXT you as Yahoo! Contacts have absolutely
> no idea if its REALLY PLAXO at the other end. It is trivial for any
> site to get user to give up data. In which case you might as well not
> use OAUTH and just make your data publicly available period. So I
>
Adam Venturella wrote:
> My understanding is that you do not want to even prompt the user for
> their username and password. Effectively you want to set up a, as
> mentioned before, valet credential system. It's not the real key,
> just enough to make the car go.
>
Have you looked into Infor
Sunir Shah wrote:
> I have a stupid question.
This is a great question.
> When I hit the authorization page, Flickr
> claims it is a trusted Yahoo! application. How does Flickr know that?
> Is it relying on the consumer key and secret? My impression is that
> those could be compromised in
Hi Blaine,
The auth experience for the Flickr iPhone app is exactly the right way
to do things. No one would be happier than me if all mobile apps used an
Auth UX like the Flickr iphone app.
Unfortunately, we have business partners which explicitly are writing
into their contracts that they d
James Wanga wrote:
> What Yahoo has
> done works well for the web but it does not address mobile and
> browserless device use cases.
Using OAuth with browserless devices is challenging, and perhaps it's
more realistic to provide an API that allows the device to exchange the
username/password f
Hi James,
Yahoo has been researching ways to improve the redirect UX for both
OAuth and OpenID, and we've found that the "popup" UX is a pretty big
improvement, with a much higher success rate compared to the redirect UX.
Descriptions and screenshots are here:
http://developer.yahoo.net/blog/ar
Does the OpenID Hybrid Protocol need to be amended to mention that
Hybrid should not use auto-approval for OAuth tokens?
Allen
Brian Eaton wrote:
> Automatic Repeat Approvals
>
> Some service providers may wish to automatically approve OAuth access
> requests from consumers who the user has al
Brian Eaton wrote:
>
> Use case is consumers and service providers trying to transition to
> OAuth 1.0a in parallel without creating down time or needing to "all
> hold hands and jump together".
I still don't quite see the problem. If the issue that that the Consumer
doesn't know if the SP suppo
of phishing attacks. Something to consider.
>>
>> Stephen Sclafani
>>
>> On May 6, 12:45 am, Allen Tom wrote:
>>
>>> Yahoo always requires the user to enter their password (even if the
>>> user
>>> is already signed into Yahoo) bef
that this is the best a service provider can hope to do at this
> point. There really is no 100% solution.
>
> Stephen Sclafani
>
> On May 4, 4:15 pm, Allen Tom <mailto:a...@yahoo-inc.com>> wrote:
> > Hi Stephen,
> >
> > Thanks fo
Hi Stephen,
Thanks for pointing this out. It might not be sufficient to deploy only
Framebusting JS on the approval screens, as the attacker can disable JS
for the iframe in IE by setting the security attribute to "restricted"
http://msdn.microsoft.com/en-us/library/ms534622(VS.85).aspx
SPs m
We either need an explicit string for the null callback, or we need to
increment the version number, because the SP needs a way to determine
which OAuth dialect the consumer is speaking as early on in the dance as
possible.
I believe that it's more pain than its worth to increment the version
Option 1, Service Providers can differentiate between versions based on
whether or not the Consumer passes an oauth_callback on the Request
Token request. Changing the oauth_version parameter is just going to
break a lot of things without any benefit.
Allen
Brian Eaton wrote:
> On Fri, May 1,
Actually, I was going to go too, but I didn't RSVP.
Allen
Gilles Devaux wrote:
> Do you plan to postpone it?
>
> I did not realize I had to respond and was going to show up.
>
> --Gilles
>
> On Mon, Apr 27, 2009 at 11:32 PM, Chris Messina
> wrote:
>
>> :(
>> Seems like 5 people would be a g
Proprietary auths like Yahoo's BBAuth and Google's AuthSub do not have
the concept of a request token, and instead just have the Consumer
redirect the browser to the SP's auth endpoint. After the user grants
permission, the user's browser is redirected back to the consumer with
a token that is
Zachary Voase wrote:
> If a malicious user can convince you to authorize an application,
> then (he/she/it) can almost certainly get you to put in a callback
> nonce as well. Submitting a form is still submitting a form, whatever
> extra bits one sticks on top of the process.
>
>
The callba
The HTTP Referrer check won't work if the Consumer's domain is a social
networking site, and the attacker posted the authorization link to the
victim's wall.
Allen
Manger, James H wrote:
> A (temporary) fix might be for Service Providers to check the HTTP
> Referer request header when Users a
Dossy Shiobara wrote:
> On Apr 17, 10:32 am, Breno wrote:
>
>> Sorry, Eran, but it is not an authentication protocol. An
>> authentication protocol must be signed by the authenticator, not by
>> the authentication requester.
>>
>
> OMG YES!
>
> Can OAuth 1.1 _please_ fix this and make sign
OpenID already has a standardized way to get the user's profile data
(name, avatar image, email address) via SREG/AX without having to write
any vendor-specific code. There's no equivalent to do this in OAuth,
although PoCo will eventually take care of this, once discovery is
implemented.
I al
The problem with having the client directly submit the username/password
to the SP is that it requires OAuth Service Providers to have passwords
for their users, implying that OpenID Relying Parties cannot be OAuth SPs.
For an example of a good mobile browser based OAuth UX, check out the
Spa
you have to say, but I'll defend to the
> death your right to say it." - Voltaire
>
>
> On Mon, Apr 6, 2009 at 8:42 PM, Allen Tom <mailto:a...@yahoo-inc.com>> wrote:
>
>
> Andrew Arnott wrote:
> >
> > Thanks. Incidentally, the grief
Andrew Arnott wrote:
>
> Thanks. Incidentally, the grief I have with Facebook is that I have
> to visit Facebook in order to pick up my "mail" which may just be a
> poke or prod. *grumble* But yes, I'd like to see us provide a
> general solution. And my personal queuing SP of choice would l
Hi Andrew,
I really like the idea of an OAuth protected messaging service that
protects the user's inbox from spam, and allows users to selectively
authorize (and revoke) permission for 3rd parties to send messages to
them. This is exactly why Facebook messaging is free of spam.
As George has
Martin Atkins wrote:
> Indeed, but if for example I take the oauth consumer key and secret out
> of the Movable Type FireEagle plugin and use it in my service then I can
> use FireEagle without agreeing to the legal terms
Sure, but the developer that was issued the CK had agreed to the terms,
I don't know too much about Flickr Auth, but I'm pretty sure that the
Flickr API Key (aka consumer key) and the secret are baked into desktop
apps.
One thing to consider is that the user had to download and install the
app in the first place, so given that the user trusted the app enough to
d
So how does this 3rd party server authenticate your widget? What's to
stop someone from reverse engineering the protocol and requesting your
CK/Secret?
We believe that it is impossible to safeguard any secrets embedded in
downloadable client applications. Someone with a debugger and some
pati
Hi John,
I have a quick question about the Problem Reporting Extension regarding
the parameter_absent problem. The spec says that missing parameters
should be listed in the oauth_parameter_absent parameter, using & to
separate multiple parameters.
Would it make more sense to use commas to sep
41 matches
Mail list logo
