Is it safe to authenticate and send requests via OAuth using Javascript

[Karolis]

Hello lively community,

I am in the process of building web app based on a Twitter Data.
Currently all my app is based on javascript and everything happens
client side.
However, due to API rate limitations and because some of the twitter
request have to be authenticated (users/lookup) - i have to use oauth
authentication.
Now my question is it safe to send api requests authenticated by OAUTH
via ajax calls which are happening on client side?

Thanks in advance
karolis

[Taylor Singletary]

Safe to send the requests, yes. Safe to sign them, no. 

In pure Javascript OAuth 1.0A implementations, your consumer secret will have to appear somewhere in your Javascript code to sign the requests. The visibility of your secret compromises your API keys and requests, putting your application and user's reputations & security at risk. There's always a risk of secret discovery in desktop or pure client applications, but it's riskiest when the secret is in plain sight.

Taylor Singletary
Developer Advocate, Twitter
http://twitter.com/episod

--
To unsubscribe, reply using "remove me" as the subject.

[Raffi Krikorian]

just to follow up on this, we're working on an oauth 2.0 implementation (of which we are contributors/authors to the spec).  that does have a profile which makes it possible to write JavaScript oauth clients without compromising the keys.  I can't give a date yet, however, as the spec is not even finalized yet.  if people are interested, I can circulate a URL to the draft.

[Cameron Kaiser]

> just to follow up on this, we're working on an oauth 2.0
> implementation (of which we are contributors/authors to the spec).
> that does have a profile which makes it possible to write JavaScript
> oauth clients without compromising the keys. I can't give a date yet,
> however, as the spec is not even finalized yet. if people are
> interested, I can circulate a URL to the draft.

However, if that does not occur prior to the Basic Auth drop-dead date, then
there will have to be some measure of 'key compromise' in open source clients.
Currently I have no choice but to minimally obfuscate my secret in TTYtter,
while documenting I know full well it will be trivially easy to recover (or
have the user create their own xAuth-enabled key/secret pair, which I'm sure
many users will balk at).

--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- I use my C128 because I am an ornery, stubborn, retro grouch. -- Bob Masse -

[Raffi Krikorian]

We are doing all we can to get it done before basic auth removal. I
suspect if the spec is not finalized soon, we will just move forward
with a draft spec.

On Apr 11, 2010, at 12:06 PM, Cameron Kaiser <spe...@floodgap.com>
wrote:

[Cameron Kaiser]

> We are doing all we can to get it done before basic auth removal. I
> suspect if the spec is not finalized soon, we will just move forward
> with a draft spec.

Can you send me that draft URL? I'd like to see how much change will be
needed (I expect not a great deal).

--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com

-- Look busy. Jesus is coming soon. -------------------------------------------

[Zhami]

+10 Please do circulate the draft!! This is very much of interest to
me.

[Abraham Williams]

http://github.com/theRazorBlade/draft-ietf-oauth/raw/master/draft-ietf-oauth.txt

--

To unsubscribe, reply using "remove me" as the subject.

--
Abraham Williams | Developer for hire | http://abrah.am
PoseurTech Labs | Projects | http://labs.poseurtech.com
This email is: [ ] shareable [x] ask first [ ] private.

[Raffi Krikorian]

yup!  that's the one.  sorry - i've been offline for a few hours.

i really rather the twitter-dev mailing list -not- turn into a conversation about this draft (at least, not until its in a more solid state), but if you have questions/suggestions/etc., please feel free to mail me directly.

--
Raffi Krikorian
Twitter Platform Team
http://twitter.com/raffi