Comments for hueniverse

Comment on Protocol Workflow by Franck

2012-02-28T17:03:09Z

which brings me to the following question. Let’s say I’ve been using the Faji site for some time and it remembers me each time I connect to it (I don’t need to provide my login/password before it’s keeping all needed on my computer). Would that mean, using the Beppa site to print my photos that even the first time, it would not ask me for my credential and I would in that case not be aware that I’m actually providing access to my resources to a third party? I did some test with different site and I think I saw that behavior. Off course the server could be implemented in a way that the first time it would ask for the credentials, but it doesn’t sounds like it’s what happening in the real world.
insight?

Comment on Protocol Workflow by Eran Hammer

2012-02-28T07:41:49Z

Access tokens can last longer than 1 hour. It all depends on the server’s security policy. As for the blind redirect, yes, Jane will just see her photos appear without granting access again.

Comment on Authentication by Eran Hammer

2012-02-28T07:40:18Z

Yes, it is correct. Each encoded part is concatenated together using an unencoded &.

Comment on Protocol Workflow by Franck

2012-02-27T04:11:16Z

Keeping the access token would not help much since it’s valid for just 1 hour. (correct?)
When you say the provider (the server, Faji) can also automatically redirect back…, do you mean it can use it’s own cookie (or other ways) to automatically authenticate the resource owner and redirect back to the Beppa site without loging in the Faji web-site? In that case, Jane would not know (I mean not explicitly like the first time) the second time that she gave access to the Beppa site, right?

Comment on Authentication by Matt

2012-02-24T21:02:18Z

Is the base string correct?
GET&http%3A%2F%

The & after the method is not URL encoded yet the rest of the string is????

Comment on Got Questions? by Eran Hammer

2012-02-14T02:27:51Z

Nope.

Comment on Got Questions? by Mike

2012-02-12T04:28:59Z

Is there a standard way to log out users?

Comment on Authentication by jeff

2012-02-09T20:24:56Z

Great article. Thanks for writing this. A good level of detail; not too lite, not too deep.

Comment on Got Questions? by Eran Hammer

2012-02-06T17:31:26Z

Not yet.

Comment on Got Questions? by Malay

2012-02-06T13:24:46Z

Did you get your writeup done on express with oauth, came across mention of this topic on your excellent writeup on nodejs, express and socket.io

Appreciate the pointer.

Thx

Comment on Got Questions? by Eran Hammer

2012-02-04T22:35:11Z

There are plenty of books and resources on JS, but you should be able to just pick up a few of the node exmaples and run with them. http://howtonode.org/ is a great place to start. As for CoffeeScript, I have no experience with it, but generally don’t see the point.

Comment on Got Questions? by Steven Tessler

2012-02-01T01:14:12Z

Can you recommend some sources for getting up to speed in JavaScript for node?

Also, what are your thoughts about coffeescript?

Comment on Protocol Workflow by Oleg Derid

2012-01-27T19:07:05Z

Great example.

From privacy point of view i would not like Beepa to fetch all my photos from Faji. We can see that Beepa fetches all photos, so from client perspective there is a concern that Beepa could fetch and catch on server side photos i wouldn’t like them to show.

I think there is an architectural way to solve this problem:
a. explicitly restrict some photos on Faji side (make them private, so that external party like Beepa can’t fetch them).
b. when granting authorization on Faji side choose which photos to share.

Comment on Authentication by craig

2012-01-25T19:11:51Z

fantastic – I appreciated that you took the time to explain concepts like hashing and utf-8 encoding along the way. Excellent article!

Comment on Got Questions? by Eran Hammer

2012-01-25T15:46:39Z

I’m not familiar with Fanpage but if they provider an OAuth API to do this, you can register a client with them and perform normal OAuth authorization on your server then post to their status update.

Comment on Got Questions? by Marcel Gringo

2012-01-24T09:44:11Z

Hi … Question:

I want to make an App on a Fanpage where people can write there experience on a service. when published … this experience is also posted on there own timeline as their status update …

Is this possible with OAuth ?

Comment on Sled, Yahoo!, and Moving On by Eran Hammer

2012-01-24T06:40:40Z

Not sure.

Comment on Sled, Yahoo!, and Moving On by Eran Hammer

2012-01-24T06:40:26Z

Plan, yeah. In practice, the app source needs some cleaning up so it is a question of when I get around to it.

Comment on Protocol Workflow by Eran Hammer

2012-01-24T06:39:34Z

That depends on how the client chooses to implement it. They can keep the access token and look it up using a session cookie. Also, the provider can also automatically redirect back without prompting the user to do it again.

Comment on Sled, Yahoo!, and Moving On by Ron Heiney

2012-01-23T17:01:33Z

Does the Facebook authentication work with localhost:8000, I was able to log in with twitter.

Comment on Sled, Yahoo!, and Moving On by Ron Heiney

2012-01-23T15:45:08Z

“including the soon to be open sourced iPhone app we never got to release” Is the plan to still release the mobile app?

Comment on Authentication by Okeke Emmanuel

2012-01-23T11:57:25Z

Many thanks.
I believe this will help me on something i’m currently working on.

Comment on Protocol Workflow by Eddie

2012-01-21T09:09:03Z

Great demostration. But what happens if she revisits Beppa again? Does she have to go through the same process?

Comment on Authentication by paul

2012-01-20T15:14:52Z

thanks for taking the time to write this article. i had to read some of twiters oauth stuff to get to a point where i understood this article, but that just shows how concise it was. thank you.

Comment on Introduction by Dhaval

2012-01-19T11:10:34Z

Best example of “Luxury Car’s Valet key”
short and easy to understand primary thing of OAuth.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:11:10Z

These decisions are all part of the provider’s architecture and all options mentioned are perfectly valid. I would optimize the user experience to make the most sense.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:09:26Z

Sorry but I am unable to assist with any particular vendor. You should reach out to Yahoo! for support.

Comment on Got Questions? by Eran Hammer

2012-01-13T16:08:52Z

Sorry but I am unable to assist with any particular vendor. You should reach out to them for support.

Comment on Got Questions? by liby mathew

2012-01-12T03:57:53Z

I am trying to access Yahoo’s contact API and I’m not able to get request token by giving URI request using my consumer key and secret.It is showing “file not found” while giving request.

Comment on Got Questions? by tony kerz

2012-01-12T02:59:58Z

hi eran,

congrats on your new job and good luck @ walmart!

i’m working on a project where we are trying to use oauth (2) for authentication (click this button to sign in using your ‘xyz-oauth-provider’ account).

in this use-case, the client (user) enacts the oauth handshake with the provider, is prompted to login to the provider, is prompted to grant access to some scope of provider resources, and if all goes well, the client successfully gets an access token and uses it to call an api at the provider to get some basic account information which it uses to set up a local session.

when the client’s local session is complete it ‘goes away’ meaning it tosses the access token.

when the same user comes back (say the next day after the session with the provider has expired) via the client to run through the same process again, they are prompted to login to the provider again, but they are also prompted to grant access again.

my initial instinct is that the provider should *not* prompt the user to grant access again (and let’s just simplify the question for now by saying that the initial grant should have no expiration so that the refresh flow isn’t in play).

ok, so that is the setup for my question which is:

does the spec cover this situation in terms of specifying how a provider should behave in this case?

i.e. is it the client’s responsibility to hold onto an access token and not ask for one twice (in which case i’m unclear how to do repetitive sign-on’s using oauth),
*or* is it the provider’s responsibility to not prompt the same user if they have already granted access (and possibly return the same access token that they were initially issued).

i hope my questions are relatively clear, but i’d be happy to clarify if not.

thanks! tony…