http://apiwiki.twitter.com/Sign-in-with-Twitter - OAuth

Message from discussion http://apiwiki.twitter.com/Sig n-in-with-Twitter

Dossy Shiobara

More options Apr 17, 4:32 pm

From: Dossy Shiobara <do...@panoptic.com>

Date: Fri, 17 Apr 2009 16:32:14 -0400

Local: Fri, Apr 17 2009 4:32 pm

Subject: Re: [oauth] Re: http://apiwiki.twitter.com/Sign-in-with- Twitter

  Reply to author
  |
  Forward
  | Print
  | View thread
  | Show original
  | Report this message
  | Find messages by this author
  

On 4/17/09 4:20 PM, Dirk Balfanz wrote:

> Why? OAuth doesn't need it. It's not an authentication protocol.

That's such a sad oversight of the initial OAuth specification. I hope
we can fix this in future versions of the spec.

> Once you start going down this route, you'll realize that you also
> need replay-protection, etc., and before you know it you have
> re-invented OpenID.

I thought the signing mechanism defined by OAuth 1.0 provides
replay-protection, and everything that's included in "etc." that you
hint at.

Currently, the OAuth callback URL is susceptible to replay attack and
token shooting. Signing it would eliminate this in a very low-effort way.

--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)

Reply to author Forward