Google Groups Home
Help | Sign in
oauth-ruby
Home
+ new post
Pages
Files
About this group
Join this group
RSA support
Options
There are currently too many topics in this group that display first. To make this topic appear first, remove this option from another topic.
There was an error processing your request. Please try again.
flag
   3 messages - Collapse all
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
Pelle Braendgaard  
View profile
  More options Apr 28, 1:12 pm
From: "Pelle Braendgaard" <pel...@gmail.com>
Date: Mon, 28 Apr 2008 10:12:22 -0700
Local: Mon, Apr 28 2008 1:12 pm
Subject: RSA support
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
We have RSA support in the OAuth gem but it seems pretty incomplete.
Has anyone been using it?

Currently it assumes that you store a private key as consumer_secret
for signing and a straight RSA public key for verifying. There is no
support for certs and no real testing on it.

As Google are using RSA as their only supported signature method at
the moment, it would probably be a good idea to verify that this
actually works and maybe improve the flow.

I propose the following

1. create unit tests for rsa using test case found at
http://wiki.oauth.net/TestCases
2. support certificate as a consumer secret (test cases wont work
without this anyway)
3. Validate that consumer secret is of correct type

I have written an easy to use library for working with openssl rsa stuff
http://ezcrypto.rubyforge.org/

However it might be best to keep dependencies to the minimum so I
might extract some stuff out of that library.

Anyone have any ideas. Would anyone like to take the lead on this?

Pelle

--
http://agree2.com - Take back the contract
http://extraeagle.com - Solutions for the electronic Extra Legal world
http://stakeventures.com - Bootstrapping blog


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Chris Messina  
View profile
  More options Apr 28, 2:26 pm
From: "Chris Messina" <chris.mess...@gmail.com>
Date: Mon, 28 Apr 2008 11:26:08 -0700
Local: Mon, Apr 28 2008 2:26 pm
Subject: Re: [oauth-ruby] RSA support
Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
Dirk has proposed an extension and best practices for RSA key rotation as well:

http://dirk.balfanz.googlepages.com/oauth_key_rotation.html

Chris

--
Chris Messina
Citizen-Participant &
 Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412.225.1051
IM: factoryjoe
This email is: [ ] bloggable [X] ask first [ ] private

    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
ckstjohn@gmail.com  
View profile
  More options Jun 1, 8:18 pm
From: "ckstj...@gmail.com" <ckstj...@gmail.com>
Date: Sun, 1 Jun 2008 17:18:57 -0700 (PDT)
Local: Sun, Jun 1 2008 8:18 pm
Subject: Re: RSA support
Reply | Reply to author | Forward | Print | Individual message | Show original | Report this message | Find messages by this author
On Apr 28, 12:12 pm, "Pelle Braendgaard" <pel...@gmail.com> wrote:

> We have RSA support in the OAuth gem but it seems pretty incomplete.
> Has anyone been using it?

I tried :-)

> As Google are using RSA as their only supported signature method at
> the moment, it would probably be a good idea to verify that this
> actually works and maybe improve the flow.

With some hacking, I got it 0.2.5 working against the Google OAuth
for their Contacts Data API[1]. First off, as pointed out here[2], the
oauth_signature_method hash doesn't appear to work. (I just
switched the hardcoded references to hmac-sha1 to be rsa-sha1)

Also, as documented here[3], OAuth::Signature::RSA::SHA1
is trying to use request.consumer.secret instead of plain old
consumer_secret. (The post above talks about the == op, but
the digest method has the same issue)

Finally, for those following along at home, in [1] the scope is
given using an http rather than an https scheme URL. This
results in a 401 "Unknown authorization header" or a
"401 Token invalid - AuthSub token has wrong scope" Both
the scope in the GetRequestToken call and the access_token
get url must be https (and the scope param needs to be
encoded)

But in the end, it did work, and I successfully retrieved a
contact list. Thanks for all the work!

-cks

[1] http://groups.google.com/group/oauth/browse_thread/thread/75ee6d97393...

[2]
http://groups.google.com/group/oauth-ruby/browse_thread/thread/64f099...

[3] http://groups.google.com/group/oauth-ruby/browse_thread/thread/b19e74...


    Reply    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
End of messages
« Back to Discussions « Newer topic     Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2008 Google