Re: [oauth] OAuth design for API without users permission

credentials. Unfortunately I think it's difficult to give you advice regarding key management, e.g. replacing compromised keys, without knowing the exact circumstances. Regards, Lukas Rosenstock 2010/7/30 Eric J. Smith e...@codesmithtools.com I am developing an API that will be used by users

Re: [oauth] SSL Gateway Service provider

Interesting idea, don't know if that exists. But my question would be in which scenarios an encrypted tunnel should be easier to configure compared to installing an SSL certificate on the webserver itself?! 2010/7/30 Jake findj...@gmail.com Hello, Does anyone know of a service provider that

Re: [oauth] Confused about the request token

Credentials (this is what you need the oauth_token_secret for). 3) Request for Resources - signed with Token Credentials. Hope I could help. Regards, Lukas Rosenstock 2010/7/28 KeefTM kee...@gmail.com So I am currently writing a SP, and I have a few questions. First, I am following the specs here

Re: [oauth] Enterprise usage question: Role based access and scope parameter

the scope values are converted into actual access privileges. Regards, Lukas Rosenstock 2010/7/6 wjgerritsen epsilon...@gmail.com: Hi, I am playing with the idea of using role names in the scope parameter (of RequestToken endpoint) for authorizing to our platform. It will work somehow like

Re: [oauth] Getting the user name

OpenID Connect (http://openidconnect.com/) is an alternative version of OpenID build on OAuth. It considers this use case as well and returns a user identifier which can be used to get username etc. in a standardized manner via OAuth. Regards, Lukas 2010/5/20 Leah Culver leah.cul...@gmail.com

Re: [oauth] Getting the user name

Hi! Twitter returns the screenname and user id with almost any API call, and also along with the Access Token. For other services you have to check which API call can give you an account name. There is no standardized way in OAuth to do this. Regards, Lukas PS: Anyone thinks this should be

Re: [oauth] oauth_callback parameter not sent to getsatisfaction

Hi! Just to clarify: The protocol knows two ways for sending the OAuth callback, one is along with the request token; and the other is by attaching it to the URL. The former (1.0a) is recommended and was introduced after security issues had been known about the latter (1.0). Regards, Lukas

Re: [oauth] HTTP PUT request format

in the body implies a application/x-www-form-urlencoded content type which usually is not the case if you use PUT. OAuth libraries should handle that as well. Regards, Lukas Rosenstock 2010/4/16 AriB ariel.boludov...@gmail.com Hi, when sending HTTP POST or PUT requests with Oauth, which

Re: [oauth] Google oAuth Access Token Longevity

The specification does not guide or limit the provider in implementing their own security policies and that includes the lifetime of tokens. Some providers may limit it intentionally to let users re-confirm that they still want to provide the access (or simply users should be logged on to their

Re: [oauth] Updating my Twitter status programmatically.

Hi! As far as I know Twitter does not allow 2-legged OAuth. That means, apart from the Consumer Key and Secret that you have already registered, you need an Access Token and Secret as well. Now, you may have to do the following things: 1) Fetch a request token and secret from Twitter. This request

Re: [oauth] 3-legged oauth -- user authorization failures -- what is the standard oauth spec

to that one instead. Regards, Lukas Rosenstock 2010/2/21 Mahesh Venkat mhven...@gmail.com Hi, I recently implemented the 3-legged oauth as per the OAuth 1.0a specs. During the implementation I am finding some gaps in the specs for error scenarios. We have oauth_callback url to redirect

Re: [oauth] test OAuth consumer and service provider

Hi! I think this looks very nice and will help to understand the flow and is good for debugging. We might use it to test the upgrade of our internal OAuth use from 1.0 to 1.0a. Lukas 2009/11/18 k42b3 k42b...@googlemail.com: hi OAuth folks, I like to announce a test consumer and service

[oauth] Status of XRDS Simple and OAuth Discovery

Good afternoon! A long time back I came across two drafts for standards, which are now marked as obsolute, with a new version to be expected by the end of March 2009. Now it's November 2009! These standards are the OAuth Discovery and XRDS Simple: http://oauth.net/discovery/1.0

[oauth] Re: Question about Access Token

Ok, sorry, I read your last sentence wrong so my first sentence doesn't make sense ... One more thing: Using an Access Token the Consumer can make any number of requests as long as that token is valid. 2009/11/2 Lukas Rosenstock l...@lukasrosenstock.net Hi Melvin, yes, the Access Token

[oauth] Re: My case against section 6.2.1 (User redirection)

The idea behind OAuth has often been described as a valet key. The kind of authentication provided by the access token in OAuth is different from the user's username and password. During the redirect, the user may choose what kind of access he wants to give, for example whether the consumer