Re: [dotnetopenauth] Is it advised to use DNOA rather than implementing the protocols myself?

[Andrew Arnott]

Hi Sam,

I'm sorry that in three months you didn't get any answers to your questions.  Did you try this mailing list before now?

A great deal of care went into the code and security of the library.  Documentation includes not just the link you mentioned, but also the samples which you get with the .zip download, and the xml docs.  Among those, most folks find what they need.  

Implementing a security protocol shouldn't be treated lightly.  An HTTP server can be trivially implemented in a week too, but there is a reason that IIS and Apache have large codebases and have dozens of security fixes in their past.  I recommend you check out the DNOA samples, ask your questions on this mailing list, and give a few days more to trying DNOA.  DNOA may itself have security bugs (I can't promise there aren't any) after all IIS and Apache have them too.  But the likelihood that DNOA has security bugs is probably much lower given its age and thorough use in the wild.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre

On Mon, Aug 13, 2012 at 6:51 PM, Sam Naseri <naseri...@gmail.com> wrote:

Hi,

Introduction:

I have been trying to understand DNOA source codes for a while. Even I were unable to build the solution so far. The only official documentation I found was http://www.dotnetopenauth.net/documentation/  which does not cover even a very basic sample for OAuth 1 or 2. Actually the documentation page only has content for contribution to project and also OpenID.

As the result of lack of documentation and not having my questions answered in StackOverflow I failed in using DNOA. I went for other libraries. And the situation for other libraries were worse.

So I decided to implement my own library for OAuth 1.0a and OAuth 2.0 according to specification. Despite reading DNOA sources codes to understand them took 3 month of my time, I implement these two protocols in only a week and now it is working for Microsoft, Facebook, Google, Twitter, Yahoo, LinkedIn and Meetup.

My Questions:

What is the downsides of implementing OAuth 1.0a or 2? I dont know what all those huge amount of code is doing in DNOA, am I missing something? 

Having said that my implementation works fine, I am not sure it is secure enough? Is there any security issue I should pay attention to? Does DNOA take care of security like it did for documentation, or a better work is done in that area?

Kind Regards,

Sam Naseri

--
You received this message because you are subscribed to the Google Groups "DotNetOpenAuth" group.
To view this discussion on the web visit https://groups.google.com/d/msg/dotnetopenid/-/qre74BN_fM0J.
To post to this group, send email to dotnet...@googlegroups.com.
To unsubscribe from this group, send email to dotnetopenid...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/dotnetopenid?hl=en.

[Brad Laney]

Honestly I bet you are missing out on a lot of things when it comes to implementing OAuth properly.

I'm sorry you had such a rough time implementing this, I managed to implement 2 of the 4 grant methods in OAuth2 in about a week and a half, and get it out to production ready to use.

The sample is fairly good... the only thing that is really missing is a tutorial showing you were to go to modify all the customizable parts. The key for me was the correct class on the resource server. Which was the ResourceServerHost class (something like that)