OAuth:a disaster for Chinese twitter users

237 views
Skip to first unread message

yegle

unread,
Feb 12, 2010, 12:30:36 AM2/12/10
to Twitter Development Talk
Hi all,
This could be a long email.

I read Raffi's post today,the original post is here:
https://groups.google.com/group/twitter-development-talk/browse_thread/thread/c2c4963061422f28

I think the abandon of HTTP basic auth would be a disaster for all
Chinese twitter users.

The gov of China runs a big censorship system called GFW. Wikipedia
gives more information about GFW here:
http://en.wikipedia.org/wiki/Golden_Shield_Project

GFW blocked many websites like facebook, twitter, youtube, plurk and
so on. So how does Chinese users post tweets from twitter client? We
uses Twitter API proxy.

A twitter API proxy is a simple script which redirect all POST and GET
request it received to twitter.com. These scripts are written in PHP
or Python, so it can be set up on virtual host outside China or on
GAE.

Basically, a API proxy script works as a middleman between twitter and
twitter client, little like man-in-the-middle attack.It's possible to
do this if the authentication is made in HTTP basic auth.But there is
no way to do the same thing with OAuth. The base string of an OAuth
request contains the domain of the HTTP request, so all client
developers modify their code if they want to suite the need of API
proxy.

This is really a disaster for all Chinese twitter users.

Harshad RJ

unread,
Feb 12, 2010, 12:39:06 AM2/12/10
to twitter-deve...@googlegroups.com
Wouldn't a regular HTTPS proxy be sufficient?
--
Harshad RJ
http://hrj.wikidot.com

yegle

unread,
Feb 12, 2010, 12:42:24 AM2/12/10
to Twitter Development Talk
Yes, but not all clients support HTTPS proxy, especially mobile
clients.

On Feb 12, 1:39 pm, Harshad RJ <harshad...@gmail.com> wrote:
> Wouldn't a regular HTTPS proxy be sufficient?
>
>
>
>
>
>
>
>
>
> On Fri, Feb 12, 2010 at 11:00 AM, yegle <cnye...@gmail.com> wrote:
> > Hi all,
> > This could be a long email.
>
> > I read Raffi's post today,the original post is here:
>

> >https://groups.google.com/group/twitter-development-talk/browse_threa...

Harshad RJ

unread,
Feb 12, 2010, 1:38:02 AM2/12/10
to twitter-deve...@googlegroups.com
Made me realise that my app (tDash) should be using HTTPS for all API calls. Just made a new release now.

Hoping that helps users behind a firewall.



On Fri, Feb 12, 2010 at 11:12 AM, yegle <cny...@gmail.com> wrote:
Yes, but not all clients support HTTPS proxy, especially mobile
clients.

On Feb 12, 1:39 pm, Harshad RJ <harshad...@gmail.com> wrote:
> Wouldn't a regular HTTPS proxy be sufficient?
>
>
>

yegle

unread,
Feb 12, 2010, 1:47:50 AM2/12/10
to Twitter Development Talk
Nope, it doesn't work :-(
All DNS queries to twitter.com inside China is poisoned and all
twitter's available IP is blocked.

Anyway, HTTPS should be enabled or at least provide an option :-)

On Feb 12, 2:38 pm, Harshad RJ <harshad...@gmail.com> wrote:
> Made me realise that my app (tDash) should be using HTTPS for all API calls.
> Just made a new release now.
>
> Hoping that helps users behind a firewall.
>

Harshad RJ

unread,
Feb 12, 2010, 2:11:32 AM2/12/10
to twitter-deve...@googlegroups.com
On Fri, Feb 12, 2010 at 12:17 PM, yegle <cny...@gmail.com> wrote:
Nope, it doesn't work :-(
All DNS queries to twitter.com inside China is poisoned and all
twitter's available IP is blocked.


Ah, I hadn't implemented for the OAuth authorization page. Just done.

(Sorry for the spam, list. Last mail on the topic)

Brian Smith

unread,
Feb 12, 2010, 4:40:16 AM2/12/10
to twitter-deve...@googlegroups.com
yegle wrote:
> Basically, a API proxy script works as a middleman between twitter and
> twitter client, little like man-in-the-middle attack.It's possible to
> do this if the authentication is made in HTTP basic auth.But there is
> no way to do the same thing with OAuth. The base string of an OAuth
> request contains the domain of the HTTP request, so all client
> developers modify their code if they want to suite the need of API
> proxy.
>
> This is really a disaster for all Chinese twitter users.
>
Read Raffi's post from a few hours ago entitled "What's up with OAuth?"
where he describes xAuth. Also, look at the OAuth WRAP draft
specification, which defines something very similar to xAuth. In the
(near) future, Twitter-approved applications will be able to get OAuth
authorized with just the user's username and password, without forcing
the user to visit the Twitter website. After they are authorized, they
can proxy their requests like before. The proxies will undoubtedly need
to be modified, but the modifications will not be too bad.

- Brian

yegle

unread,
Feb 12, 2010, 2:51:55 AM2/12/10
to Twitter Development Talk
Hi Brian,
Thank you, I just noticed the new OAuth specification.
I'll read the specification first and see if there is any workaround
available :-)

Jesse Stay

unread,
Feb 12, 2010, 4:40:27 AM2/12/10
to twitter-deve...@googlegroups.com
Brian, I thought that was the case originally, but after reading his latest draft, I'm thinking the opposite may be the case.  I think xAuth requires all users to go through the Twitter website, but applications wanting to transfer authority to another application or website (via an API) will be able to make calls on behalf of those applications. In order for application-to-application transfer to occur though, I think users still have to go through the Twitter website to log in.  Then an application can take that user's token, pass it onto the other application, and the other application can get permission from Twitter to make calls on behalf of that user.  No usernames or passwords are passed in this method, if I understand it correctly.  Raffi, please correct me if I'm wrong.

If that's not the case, there is still a major concern for phishing.  I'm not sure what the answer is here - it's China or phishing, tough decision.

Jesse

Harshad RJ

unread,
Feb 12, 2010, 5:18:20 AM2/12/10
to twitter-deve...@googlegroups.com
On Fri, Feb 12, 2010 at 12:17 PM, yegle <cny...@gmail.com> wrote:
Nope, it doesn't work :-(
All DNS queries to twitter.com inside China is poisoned and all
twitter's available IP is blocked.

Oh btw, I meant HTTPS proxies that sit outside the firewall.

I assume that DNS queries for twitter.com would be run by the proxy server and not the client. (Tried to RTFM but still not very familiar with the protocol)

yegle

unread,
Feb 12, 2010, 6:03:33 AM2/12/10
to Twitter Development Talk
There is no detailed information about xauth right now, but the WRAP
specification did allow to fetch access token using username/password,
that makes a proxy script possible.I think this is xauth about: get
access token using username/password and then do the rest things using
oauth.

I'm still waiting for the approval of my request to try xauth, maybe I
can figure out how to do this when I can try xauth myself :-)

yegle

unread,
Feb 12, 2010, 6:04:15 AM2/12/10
to Twitter Development Talk
Oh yes I forgot that HTTP proxy resolves the domain name at server
side :-)

On Feb 12, 6:18 pm, Harshad RJ <harshad...@gmail.com> wrote:

yegle

unread,
Feb 12, 2010, 6:40:18 AM2/12/10
to Twitter Development Talk
I read the WRAP draft. I have to say that it's much simpler than OAuth
1.0a.
It doesn't need too much modification to twitter client to support API
proxy, if xauth is widely available.

Thank you all for your replies and concerns :-)

Raffi Krikorian

unread,
Feb 12, 2010, 10:16:44 AM2/12/10
to twitter-deve...@googlegroups.com
what i would do (with that caveat that i'm speaking as myself and not necessarily as a twitter employee ;P):

make a proxy that uses xauth - you could still ask for a username/password, use xauth to do the exchange with twitter, and then proxy the basic auth to oauth.   the caveat is that i stated that xauth will not be allowed for "web applications", but i can think of a few creative ways around that.

alternatively, assuming that your proxy can still see twitter.com (it is positioned somewhere where the DNS isn't poisoned), then there is nothing preventing that proxy from doing the oauth web workflow on behalf of the user.  definitely not kosher, and may not scale...
--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi

janole

unread,
Feb 16, 2010, 3:47:12 AM2/16/10
to Twitter Development Talk
Hi Raffi,

I've sent an eMail to a...@twitter.com requesting permission to use
xAuth in my S60 Twitter Client Gravity. Just curious if there's any
ETA for granting access to xAuth and/or providing documentation.

Many thanks in advance,
Ole

--
Jan Ole Suhr
su...@mobileways.de
On Twitter: http://twitter.com/janole

Dewald Pretorius

unread,
Feb 16, 2010, 2:24:10 PM2/16/10
to Twitter Development Talk
> oauth. the caveat is that i stated that xauth will not be allowed for "web
> applications", but i can think of a few creative ways around that.

Raffi,

I assume that would be as a general rule for day-to-day operations of
web apps.

But, for web apps you are still going to allow the one-time bulk
conversion of existing users with xauth, correct?

Raffi Krikorian

unread,
Feb 16, 2010, 2:27:41 PM2/16/10
to twitter-deve...@googlegroups.com
But, for web apps you are still going to allow the one-time bulk
conversion of existing users with xauth, correct?

yes.

Dewald Pretorius

unread,
Feb 16, 2010, 2:29:25 PM2/16/10
to Twitter Development Talk
Actually, this whole Chinese user issue affects web apps as well.
Because, with OAuth, any Chinese user (or any user whose company
blocks Twitter.com) cannot use the web app or add the Twitter account
to a web app that uses OAuth.

So, web apps should have the option of offering their users the xauth
path.

Raffi Krikorian

unread,
Feb 16, 2010, 2:35:47 PM2/16/10
to twitter-deve...@googlegroups.com
understood, but, right now, not in the plan.  web apps will have to use the standard oauth workflow.
Reply all
Reply to author
Forward
0 new messages