OAuth functionality partially restored

Skip to first unread message

Matt Sanford

Apr 23, 2009, 4:50:06 PM4/23/09
to twitter-ap...@googlegroups.com
Hello everybody,

We were forced to disable OAuth [1] after a security vulnerability
[2][3] was found in the OAuth protocol. As part of the fixes for this
problem there have been some changes to the OAuth functionality. The
relevant changes are:

1. The lifetime of a Request Token is now shorter. This new time limit
should be long enough for a person to complete the flow, but short
enough that it cuts off attacks. This does not effect access tokens
and should be totally transparent to OAuth enabled applications.

2. The oauth_callback parameter is now ignored. Users will be
redirected to the callback registered when the application was
created. We're currently working on changes that will re-enable this
feature but felt that OAuth should be available without this parameter
while that work takes place.

We're very sorry for the silence during this problem but due to
the security implications all OAuth vendors were asked to keep the
details secret until the official announcement. Hopefully we'll have a
replacement for the oauth_callback available in the near future.

– Matt Sanford / @mzsanford
Twitter API Developer

[1] - http://blog.twitter.com/2009/04/whats-deal-with-oauth.html
[2] - http://oauth.net/advisories/2009-1
[3] - http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html

Reply all
Reply to author
0 new messages