Comments for hueniverse

Comment on Got Questions? by Eran Hammer-Lahav

2010-09-01T14:52:41Z

I am not familiar with how Orkut uses OAuth. I suggest you ask this question on their developer forum.

Comment on Introducing WebFinger by Arioch

2010-08-31T22:02:10Z

Enter your email to login:
Enter the address of your blog or profile page to login:

Still NASCAR problem.
Those lines should be the same.
I hope my comments would pop-up on http://www.abstractioneer.org/2009/04/personal-web-discovery.html#comment-form about that.

Comment on Got Questions? by blaaze

2010-08-31T07:00:10Z

How to deal with the 3legged scrap all thingy in Orkut? I am looking for a php version of code for it.

Comment on Got Questions? by Eran Hammer-Lahav

2010-08-29T16:49:09Z

Password reset is usually a barer token solution where whoever controls the email account and have access to the special link, can change the password. OAuth cannot help you here because you don’t have a way to authenticate the user other than giving them a URI.

Comment on Open Questions About OAuth 2.0 Authentication by Eran Hammer-Lahav

2010-08-29T16:46:41Z

You can use whatever is supported by the specific provider. They should support the header and likely to support the query string. This is explained in:

http://tools.ietf.org/html/rfc5849#section-3.1

Comment on Got Questions? by Mohan Radhakrishnan

2010-08-29T04:57:14Z

Is there a way to use OAuth token within a single web application? I have read your use cases. I have a forgot password link sent in an email. Now this is a special url that cannot be authenticated. Is there a neat way of associating a token with this url that expires after a few days. We don’t want the wrong user from getting this url and hacking into the site.
Ours is a non-REST web application. Hope my question makes sense.

Comment on Open Questions About OAuth 2.0 Authentication by Tejas

2010-08-20T18:19:19Z

Hi Eran,
Can you please give a brief explanation about how to use the access token or access token secret to access the protected resources from the service provider. I’m using .NET OAuth Library 1.0, I have the access token and secret but I don’t know how to send the request to access resources from the provider’s API. Do I need to use authorization header for the request body or URL Query string is ok ?

Thanks in advance

Tejas

Comment on Got Questions? by Eran Hammer-Lahav

2010-08-17T05:47:09Z

The request token (or temporary credentials in the RFC) are used to differentiate between the front channel exposed to the user and the back channel between the client and server. They are also used to support clients that cannot receive callbacks directly.

Comment on Implementing WebFinger by Eran Hammer-Lahav

2010-08-16T07:13:14Z

Not really. Most people copy over the Gmail example.

Comment on Implementing WebFinger by Rob N

2010-08-13T22:52:23Z

Is there a list of commonly-used rel values? I’m starting to put together webfinger data for my users I’m having trouble finding a reference for stuff I should actually put in the descriptor file.

Comment on Next stop, Elastic Architecture by Elastic Architecture « DivConq

2010-08-13T05:39:40Z

[...] to name this concept. Yahoo.com’s Eran Hammer-Lahav talked about elastic architecture in an August 2007 blog post. In this post he discussed two intersecting themes: applications that could scale themselves, and [...]

Comment on Got Questions? by helloman

2010-08-11T09:41:33Z

Hi
I don’t know that why require request token..
why needs this??

Comment on Introducing OAuth 2.0 by Eran Hammer-Lahav

2010-08-05T05:42:27Z

Not where it matters, but I’m not an expert in SAML.

Comment on Introducing OAuth 2.0 by Jitender

2010-08-05T01:52:17Z

Are there any similarities between this spec and SAML?

Comment on Open vs. Fast, Good vs. Evil, Google vs. Facebook by Clayton

2010-08-04T16:12:14Z

Hello,
I’m just getting up to speed with QAuth and all the issues involved with the topic, and I wanted to say thank you for your writings. Rarely when learning new web technologies do I find such accessible explanations of “How we got to where we are” — I wish it happened more.

Comment on Got Questions? by Eran Hammer-Lahav

2010-08-03T15:59:29Z

I’m using Apture: http://www.apture.com

Comment on Beginner’s Guide to OAuth – Part III : Security Architecture by Eran Hammer-Lahav

2010-08-03T15:57:52Z

On load or when you try to do something specific?

Comment on Got Questions? by Stephen W. Williams

2010-08-02T15:29:34Z

While reading the OAuth docs I randomly swiped a word more out of fidgety-ness then anything but was pleasantly surprised. Your highlight/search functionality is near perfect. Are you utilizing a js package or is it home brewed? I’d love to see it in a plugin of some kind (firefox/chrome).

Stephen

Comment on Beginner’s Guide to OAuth – Part IV: Signing Requests by Chad Wagner

2010-08-02T13:56:18Z

It’s not often one finds such a thorough implementation example for oauth. You ought to be proud! I’m giving you 3 thumbs up and a big thank you!

Comment on Beginner’s Guide to OAuth – Part III : Security Architecture by Jack

2010-08-02T12:26:39Z

The next screen (Part iV: Signing Request) crashes MSIE 8. Has happened 4 times now. FireFox worked.

Comment on Beginner’s Guide to OAuth – Part IV: Signing Requests by Eran Hammer-Lahav

2010-08-02T05:42:16Z

I don’t know which web service API you are trying to use, but either way, I am unable to help with individual requests for help with making authenticated calls. I suggest you ask this on the right develops mailing list or group.

Comment on Beginner’s Guide to OAuth – Part IV: Signing Requests by Joe

2010-07-30T18:39:53Z

Created desktop app that accesses api and needs oauth to search. Now I understand the diff components but when attempting to get request token I get the (401) unauthorized error. When I used a third party oauth app I was able to take it all the way through where i received a pin to use. Still not sure how to use pin but any help will be appreciated.

Comment on Got Questions? by Eran Hammer-Lahav

2010-07-28T15:20:25Z

I am not aware of a tutorial for creating a service but if you look up the documentation for the Twitter, FourSquare, and new Facebook APIs, you should be able to figure out how to apply one of these to your own needs.

Comment on Got Questions? by Markus

2010-07-27T12:01:20Z

Hello hueniverse,

I have read your excellent Beginner’s Guide to OAuth and just wanted to know if there is any tutorial or something where I can see how twitter or other websites have implemented OAuth? I just wanted to create my own API for a Website.

Thanks a lot

Comment on Beginner’s Guide to OAuth – Part II : Protocol Workflow by Eran Hammer-Lahav

2010-07-26T01:25:04Z

Thanks.

Comment on Beginner’s Guide to OAuth – Part II : Protocol Workflow by John.H

2010-07-25T10:17:02Z

I read this article and begin to understand how OAuth get work.
So I translate this article into chinese in my blog, http://thunderbean.info/archives/64/

Hope that you don’t mind

Comment on Beginner’s Guide to OAuth – Part III : Security Architecture by Eran Hammer-Lahav

2010-07-22T20:30:05Z

The nonce has to be unique per timestamp. It can be a random string or as simple as a counter, as long as you can make sure it is unique (for the same timestamp).

Comment on Beginner’s Guide to OAuth – Part III : Security Architecture by Eran Hammer-Lahav

2010-07-22T20:29:02Z

There is simply no way to authenticate an application where the application code is available and the secrets used for authentication exposed. That said, OAuth is perfectly fine in such a setup, with the clear understanding that the application identity cannot be trusted. What makes this acceptable is the presence of the end-user who is providing the sanity check needed.

Comment on Beginner’s Guide to OAuth – Part III : Security Architecture by Eran Hammer-Lahav

2010-07-22T20:27:01Z

In order to produce a signature, the client must include all the information used to generate the signature. The timestamp is one such information needed.

Comment on Does OpenID Have an Identity Crisis? by Vlad Leog

2010-07-22T12:56:48Z

The solution is moving the “connect” button in the browser, and out of the sites.
Google, Facebook, Yahoo, Twitter and others will be Identity Providers. People trust them.
Their job will be to protect your personal data and to give web apps access to it. Pressing the Connect button in the browser should tell the ID provider that you accept connecting to the site you’re visiting and give the site a way to talk back to you when you’re offline. (messaging + notifications system)
If you trust your browser with remembering your passwords you can also trust it won’t randomly connect you to sites you don’t want to visit.

This solution would be much better for web app providers:
1. easier to implement
2. Apps will be able to send personal messages (like email) and notifications trough the ID server.
3. could be a better alternative for RSS (which is really not that simple)

Once that happens, a big chunk of trust is handed to the ID servers – they will know what you’re doing online if you authenticate with the sites you’re visiting.
So online banking and controlling satellites shouldn’t work this way.

In case you need an anonymous connection you should be able to use the browser as your personal ID provider.

Of course, the big players (mostly Facebook) will try anything else before that.
I think Google is already on this path with Chrome and I’ve seen some work on Firefox on this but I’m not sure how deep they want to go with this. I feel that without a way for developers to send messages to the users, the whole openID movement won’t properly take off.