Comments for hueniverse

Comment on Protocol Workflow by Oleg Derid

2012-01-27T19:07:05Z

Great example.

From privacy point of view i would not like Beepa to fetch all my photos from Faji. We can see that Beepa fetches all photos, so from client perspective there is a concern that Beepa could fetch and catch on server side photos i wouldn’t like them to show.

I think there is an architectural way to solve this problem:
a. explicitly restrict some photos on Faji side (make them private, so that external party like Beepa can’t fetch them).
b. when granting authorization on Faji side choose which photos to share.

Comment on Authentication by craig

2012-01-25T19:11:51Z

fantastic – I appreciated that you took the time to explain concepts like hashing and utf-8 encoding along the way. Excellent article!

Comment on Got Questions? by Eran Hammer

2012-01-25T15:46:39Z

I’m not familiar with Fanpage but if they provider an OAuth API to do this, you can register a client with them and perform normal OAuth authorization on your server then post to their status update.

Comment on Got Questions? by Marcel Gringo

2012-01-24T09:44:11Z

Hi … Question:

I want to make an App on a Fanpage where people can write there experience on a service. when published … this experience is also posted on there own timeline as their status update …

Is this possible with OAuth ?

Comment on Sled, Yahoo!, and Moving On by Eran Hammer

2012-01-24T06:40:40Z

Not sure.

Comment on Sled, Yahoo!, and Moving On by Eran Hammer

2012-01-24T06:40:26Z

Plan, yeah. In practice, the app source needs some cleaning up so it is a question of when I get around to it.

Comment on Protocol Workflow by Eran Hammer

2012-01-24T06:39:34Z

That depends on how the client chooses to implement it. They can keep the access token and look it up using a session cookie. Also, the provider can also automatically redirect back without prompting the user to do it again.

Comment on Sled, Yahoo!, and Moving On by Ron Heiney

2012-01-23T17:01:33Z

Does the Facebook authentication work with localhost:8000, I was able to log in with twitter.

Comment on Sled, Yahoo!, and Moving On by Ron Heiney

2012-01-23T15:45:08Z

“including the soon to be open sourced iPhone app we never got to release” Is the plan to still release the mobile app?

Comment on Authentication by Okeke Emmanuel

2012-01-23T11:57:25Z

Many thanks.
I believe this will help me on something i’m currently working on.

Comment on Protocol Workflow by Eddie

2012-01-21T09:09:03Z

Great demostration. But what happens if she revisits Beppa again? Does she have to go through the same process?

Comment on Authentication by paul

2012-01-20T15:14:52Z

thanks for taking the time to write this article. i had to read some of twiters oauth stuff to get to a point where i understood this article, but that just shows how concise it was. thank you.

Comment on Introduction by Dhaval

2012-01-19T11:10:34Z

Best example of “Luxury Car’s Valet key”
short and easy to understand primary thing of OAuth.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:11:10Z

These decisions are all part of the provider’s architecture and all options mentioned are perfectly valid. I would optimize the user experience to make the most sense.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:09:26Z

Sorry but I am unable to assist with any particular vendor. You should reach out to Yahoo! for support.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:08:52Z

Sorry but I am unable to assist with any particular vendor. You should reach out to them for support.

Comment on Got Questions? by liby mathew

2012-01-12T03:57:53Z

I am trying to access Yahoo’s contact API and I’m not able to get request token by giving URI request using my consumer key and secret.It is showing “file not found” while giving request.

Comment on Got Questions? by tony kerz

2012-01-12T02:59:58Z

hi eran,

congrats on your new job and good luck @ walmart!

i’m working on a project where we are trying to use oauth (2) for authentication (click this button to sign in using your ‘xyz-oauth-provider’ account).

in this use-case, the client (user) enacts the oauth handshake with the provider, is prompted to login to the provider, is prompted to grant access to some scope of provider resources, and if all goes well, the client successfully gets an access token and uses it to call an api at the provider to get some basic account information which it uses to set up a local session.

when the client’s local session is complete it ‘goes away’ meaning it tosses the access token.

when the same user comes back (say the next day after the session with the provider has expired) via the client to run through the same process again, they are prompted to login to the provider again, but they are also prompted to grant access again.

my initial instinct is that the provider should *not* prompt the user to grant access again (and let’s just simplify the question for now by saying that the initial grant should have no expiration so that the refresh flow isn’t in play).

ok, so that is the setup for my question which is:

does the spec cover this situation in terms of specifying how a provider should behave in this case?

i.e. is it the client’s responsibility to hold onto an access token and not ask for one twice (in which case i’m unclear how to do repetitive sign-on’s using oauth),
*or* is it the provider’s responsibility to not prompt the same user if they have already granted access (and possibly return the same access token that they were initially issued).

i hope my questions are relatively clear, but i’d be happy to clarify if not.

thanks! tony…

Comment on Got Questions? by Kirti Patel

2012-01-11T12:04:40Z

Hi, I am trying to implement twitter OAuth for my application but am running into errors every time i try. I have downloaded and am using the library of Abraham OAuth coding. At the moment every time i run my application it presents me with a link to sign into twitter but when clicked gives me the error message ” Cannot sign into twitter, try again later” which is the error handling message of course, but i don’t understand why i am being faced with this…any help please? Other attempts of OAuth have taken me to the twitter website and given me the message that there are no request token for this page, but the token information has been added into the coding already. Help would be much appreciated. Thanks

Comment on Got Questions? by Eran Hammer

2012-01-10T15:55:26Z

Sorry, but I don’t know much about this environment.

Comment on Got Questions? by Marco Peschiera

2012-01-08T17:49:19Z

I’m using classic ASP and need to make OAUTH with YAHOO to get contact of a user that allow my app.
I can make working arriving to get a token but i can’t make the api request because yahoo api is HTTP and not HTTPS so i must use oauth_signature_method =”HMAC-SHA1″
I can’t get a script function that create me this oauth_signature in CLASSIC ASP.
Can you help me ?
Thanks,
Marco

Comment on Got Questions? by Eran Hammer-Lahav

2011-12-31T09:16:55Z

Not sure what exactly you are asking but if the roles are carried by separate entities, they need to coordinate the grants. How to accomplish that is case-specific.

Comment on Got Questions? by Aakash Wasnik

2011-12-22T00:16:19Z

In case Authorization Server and Resource Server are implemented separately (unlike Facebook or Twitter where Authorization Server and Resource Server are same)

Would you please throw some light on validation needs to be done at Resource Server before allowing access to REST API

1. Let say In Access token validation response Authorization Server would say that Access token is issued to “Client 1″ , Scope values are “XYZ PQR” and Some Resource Owner identifier such as userid
2. OAuth Client needs to register at Resource Server as well so that it can trust only specific OAuth clients
3. Also i understand that Resource Server would look at scope values as well before accessing particular REST API

I would appreciate your response.

Thanks
Aakash

Comment on Sled, Yahoo!, and Moving On by Eran Hammer-Lahav

2011-12-15T17:44:36Z

Yes, Sled / Postmile uses MAC tokens based on the last draft. A new draft is expected as soon as the WG can figure out how to proceed. You can see the current status in my github account.

Comment on Sled, Yahoo!, and Moving On by Lorenzo Polidori

2011-12-15T17:10:08Z

Hi Eran,
have you used MAC Access Token Authentication for the OAuth 2.0 on Sled? If this is the case, what open standard did you use?
The IETF draft regarding HTTP MAC access authentication scheme for OAuth 2.0 (draft-ietf-oauth-v2-http-mac-00) expired on 12 November 2011 and the IETF tracker tool doesn’t tell whether this proposal has been dropped or there has been a follow-up.

Comment on Got Questions? by Eran Hammer-Lahav

2011-12-14T05:46:22Z

The code was sent through the client via a redirection to the attacker’s site.

Comment on Is the Party Winding Down at Facebook? by Eran Hammer-Lahav

2011-12-14T05:45:10Z

I’ve never questioned the caliber of talent at Facebook. I even blogged about it grudgingly… But from where I stand, I no longer hear the same level of excitement. People are still in awe of the team but no longer ooh and ah about it the way they used to.

Comment on Is the Party Winding Down at Facebook? by Luke Shepard

2011-12-14T03:41:08Z

I’ve worked at Facebook for 4.5 years and I’m still quite excited. My outlook may be rosier than most because I’m working on the forefront of the mobile web ecosystem, but I don’t think it’s that atypical. The type of person who is attracted to Facebook is typically quite talented, entrepreneurial, and has plenty of other options of stuff to do with their time. The concentration of intense talent is mostly why I love it here.

But the flipside to such talent is the high opportunity cost of their Witness the myriad startups created by Facebook alum just in the past few years (Quora, Asana, Path, Pinterest, Storm8, Cloudera). As such, the opportunity cost of their time is high – so it’s not unexpected that after a few years, many would seek to move on.

That said, it seems like there are more insanely talented people joining the company now than ever before. Just in the past few months, I’ve started working with Charles Jolley and the whole Strobe team; the amazing designers from Sofa; Mike Shaver from Mozilla; James Pearce from Senscha. When this many awesome people are flooding into the company, I think it’s far from winding down.

Comment on Got Questions? by Sujing

2011-12-14T01:55:51Z

http://hueniverse.com/2011/06/oauth-2-0-redirection-uri-validation/

about oauth
In step 7： Evil user takes the authorization code and gives it back to the client by constructing the original correct redirection URI.
I wonder how Evil User can take the authorization code since the code has sent to the victem?

Comment on Is the Party Winding Down at Facebook? by Thomas Koch

2011-12-12T18:53:43Z

The tools used by Facebook include PHP, Hadoop and ZooKeeper among many others. But from these tree I know that the code is big brown ball of mud, a maintainability nightmare. It would fit my picture that people get fed up over time to work with these tools.