Web Images Videos Maps News Shopping Gmail more »
Recently Visited Groups | Help | Sign in
Google Groups Home
Twitter Development Talk
Home
+ new post
About this group
Join this group
Message from discussion Sign in with Twitter
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Dossy Shiobara  
View profile  
 More options Apr 16, 2:26 pm
From: Dossy Shiobara <do...@panoptic.com>
Date: Thu, 16 Apr 2009 14:26:19 -0400
Local: Thurs, Apr 16 2009 2:26 pm
Subject: Re: [twitter-dev] Re: Sign in with Twitter
Reply to author | Forward | Print | View thread | Show original | Report this message | Find messages by this author
On 4/16/09 12:55 PM, Doug Williams wrote:

> Related: More OAuth documentation is to come throughout the day so
> some of the links will be broken. It's a glaring omission in the
> documentation.

> Let's use this thread to fill the holes people find while implementing
> Sign in with Twitter for the time being.

One issue I have is that the oauth/authenticate method expects an
oauth_token as part of the request.  Until we've authenticated the user,
how do we _know_ what the user's oauth_token should be?

Are we supposed to request and use a new unauthorized token every time
we present the "sign in with Twitter" button in our third-party
application?  (You can smell why this idea stinks, right?)

Also, the redirect to the callback URL has no signature.  What stops an
attacker from brute-force attacking an OAuth consumer, iterating through
posisble tokens?  Simply the large search space of valid OAuth tokens?
Even if it's only "possible in theory" ... some teenager with nothing
better to do is going to eventually turn that theory into practice.

What would be ideal is a method that we can link a user to that follows
the oauth/authenticate 4-step decision tree described on the wiki but
requires only a callback URL.  When Twitter sends the user back via the
callback URL, it should include a valid OAuth access token, Twitter user
ID and screen name, and signature.

Then, another method like oauth/token where a signed request with the
OAuth token can be made that returns the token secret.

Possible?

--
Dossy Shiobara              | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network   | http://panoptic.com/
   "He realized the fastest way to change is to laugh at your own
     folly -- then you can let go and quickly move on." (p. 70)


    Reply to author    Forward  
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Google Groups - Google Home - Terms of Service - Privacy Policy
©2009 Google