That's an interesting spin. It sounds like a UX improvement, IMO.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Fri, Mar 15, 2013 at 11:24 AM, Ted Pederson wrote:
> I was able
Yes, I believe it does provide that. But I haven't reviewed it for some
time.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Wed, Mar 6, 2013 at 1:22 PM, Ted Pederson wrote:
> I a
less desirable but it will limit which services they can access.
Thoughts?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
--
You received this message because you are subscribed to the Google
In an attempt to clarify what 2-legged OAuth (1.0) is and isn't, I've
written a blog post, which I submit for your review:
What is 2-legged OAuth? <http://bit.ly/mhgPWw>
Let me know if you think I'm completely off base here.
Thanks.
--
Andrew Arnott
"I [may] not agree
en it will likely
be finalized.
Thoughts?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
--
You received this message because you are subscribed to the Google Groups
"OAuth" group.
To p
I suggest you check out DotNetOpenAuth <http://dotnetopenauth.net/>. It
shouldn't have bugs like this and is a complete library for OAuth rather
than just helping with message signing.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
you did not initiate this request at
CONSUMER_DOMAIN_NAME, it may be possible for other users of
CONSUMER_DOMAIN_NAME
to access your data. We recommend you deny access unless you are certain
that you initiated this request directly with CONSUMER_DOMAIN_NAME.”
--
Andrew Arnott
"I [may] not ag
It seems like 2-legged OAuth is this informal thing that everyone knows
about yet I can't find any concrete documentation on. Is it because when it
exists, it's a proprietary solution between a consumer and SP? Is there a
spec anywhere?
--
Andrew Arnott
"I [may] not agree with w
more info here <http://dotnetopenauth.net:8000/>
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
--~--~-~--~~~---~--~~
You received this message because y
ame thing? (this only matters
when user involvement is required in the verification entry).
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Tue, May 12, 2009 at 4:10 PM, Eran
I'd say that where a verifier is required, only a small number of attempts
should be allowed. We should allow for user entry error while mitigating
against brute force attacks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right
n request token once? Or does it mean that a desktop
consumer app cannot keep polling the server with its request token until it
finally gets an access token when the user finishes authorizing the request
token?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll def
Thanks. I didn't know about that extension. Is there a list of all the
OAuth extensions somewhere?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Fri, May 29, 2009 at 6:06 PM, Brian E
n the POST entity should be signed
unless the content type is application/x-www-form-urlencoded, which means
that parameters that come along with the image are unsigned.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it."
or an updated timetable for its
availability?
Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
--~--~-~--~~~---~--~~
You received this message because you are subs
Thanks, everyone. That sounds good. I know a redraft of the spec is in
progress. It would be awesome if this could be clarified in a future
version.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
.
Is the spec wrong? (it seems insecure) Google signs this part although the
spec seems to suggest against it.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
--~--~-~--~~~-
I can make it on a conference call if the details can be sent out.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Fri, Apr 24, 2009 at 2:42 PM, Leah Culver wrote:
>
> Hi all,
>
> My ey
dotnetopenauth-30-released.html>.
Exciting times.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
--~--~-~--~~~---~--~~
You received this message because you are subscri
bably as entire scenarios that people
could read and relate to.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Apr 13, 2009 at 9:14 PM, Peter Williams wrote:
>
>
>
>
> *From:* Andrew Ar
Peter, my parents' responses inline.
> What is openid’s core value, for a parent?
>
> Here is a few of the spins I’ve heard over the last 2 years:
>
> 1 Urls are so magical that your openid URL means you
> don’t need multiple passwords
>
What?
> 2 Addresse
So no talking about association handles and
cryptography! :)
Facebook Group: Take Back Your
Identity<http://www.facebook.com/group.php?gid=84220470521&ref=nf>
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
uest as much as a request that the
OAuth community, perhaps a future spec, push for SPs to add this feature
generally, so that consumer desktop apps can benefit from OAuth the same way
web apps can.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
g into web sites
without a valid email address?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Apr 6, 2009 at 9:34 PM, Allen Tom wrote:
> Currently, Google OpenID users can be exempted from E
auth_timestamp="1239078752"
It's the same algorithm I'm using to sign the first three requests. Any
ideas?
Thanks.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Apr 6, 200
d the
user through email verification.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Apr 6, 2009 at 8:42 PM, Allen Tom wrote:
>
> Andrew Arnott wrote:
> >
> > Thanks. Incidentall
I hope we can find a way besides giving these social networking
sites access to spam our friends to make these connections with others
already using the service.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Volt
Auth token will be assigned, and the site may never know that I'm the same
person as was there previously. But certainly over time with a single
account it can accumulate data on me.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your rig
icate. I
don't think I'm using the token_secret anywhere here. With HMAC-SHA1, you
concatenate the consumer and token secrets together for the key. But what
do I do for RSA-SHA1 signing, since the key is just the cert? It seems the
token_secret is unused?
--
Andrew Arnott
"I [may
;s account.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire
On Mon, Apr 6, 2009 at 8:45 AM, Andrew Arnott wrote:
> Deep in another OpeNID thread I suggested part of this idea, but I've
> expanded
hen deactivate that account to save bandwidth and
processing power.
Open issues / questions:
1. The RP will need a consumer key to send the OAuth request, but it
often won't have one since any user with any queuing SP may log in.
2. A standardized message push POST format will have
ring+of+parameters#0add9f7a4eb9ffbf>
Is oauth_token required in SP redirect to
Consumer?<http://groups.google.com/group/oauth/browse_thread/thread/563f3824b7a97be0/dde5f3b2700bc7de?lnk=gst&q=arnott#dde5f3b2700bc7de>
I'd love to see the spec fixed up so that these questions are impli
32 matches
Mail list logo
