Hi! Good day!
I'm Albert Padin and I've been looking at your implementation of xAuth, and I want to make a suggestion for it. The suggestion I want to make allows the requesting application to make a user authentication (login) request without including the password credential in the request being sent. Currently, it is not much of a problem sending the user login and password credentials in the request because it is done thru HTTPS. I don't know if my suggestion will make such a great improvement, but it can I think allow secure authentication (login) without the application including the password in the request done through HTTP. The implementation is basically the same as the xAuth implementation details except for the following: 1. The password credential is hashed (the same way it's hashed in the server-side. Eg. MD5) by the application. 2. After the application generates the HMAC signature, it omits the password field and value (hashed credential) from the request and sends it to the server (even thru HTTP). Now on the server end, when it receives the request, it just inserts the hash value of the user password and validates the signature. If the signature validates, then you can assume that the password was correct. If it's not valid, then either the password is wrong, or the request has been tampered with. In both cases, you don't grant a token. With this implementation, you can provide authentication thru HTTP without passing the password through the wire. I don't know if this advantage is worth it. Should you have any questions, clarifications, or reactions, please don't hesitate to reply. You may even send me a reply telling me where I might have been mistaken. Thanks and enjoy! Albert -- Twitter developer documentation and resources: http://dev.twitter.com/doc API updates via Twitter: http://twitter.com/twitterapi Issues/Enhancements Tracker: http://code.google.com/p/twitter-api/issues/list Change your membership to this group: http://groups.google.com/group/twitter-development-talk