I'm trying to authenticate to Google Talk. The X-OAUTH2 mechanism, which uses OAuth2 tokens, is well documented. But what is X-GOOGLE-TOKEN and where is it documented?
Ah, found it. It's the deprecated ClientLogin API:
Important: ClientLogin has been officially deprecated as of April 20, 2012. It will continue to work as per our deprecation policy, but we encourage you to migrate to OAuth 2.0 as soon as possible.
Related
My client is web based with a NodeJS server.
I've recently implemented Google Sign-In for server-side apps using this flow
see https://developers.google.com/identity/sign-in/web/server-side-flow
I'm now trying to implement something similar on Facebook but when I look at the docs there is no reference to oauth2.
https://developers.facebook.com/docs/facebook-login
Should I be using Facebook connect? Where do I get my "one time code" from so that I can send it to my server?
Lots of confusion on the subject. Some direction would be most welcome.
OAuth is, by design, not a very prescriptive standard. It describes various flows for doing the authorization, and each of those is specified broadly enough to afford multiple interpretations and implementations.
Facebook's implementation is broadly similar to Google's, and supports many different flows. The Javascript SDK offers a way of doing it in the browser, whereas the more traditional server-side flow uses a series of redirects and doesn't require any Javascript. Neither Facebook flow really calls itself OAuth, though the latter refers to it implicitly.
You asked about a "one-time code". That's a part of the Authorization Code flow described in section 4.1 of the OAuth2 specification. The server-side Facebook flow described above seems to be quite close to the specification, and the documentation describes how to get this code and exchange it for an access token. You could do it using the redirects, or you could write some Javascript to hit that endpoint in an XHR and then extract the code yourself and pass it to the server.
But you could also use the Javascript SDK to do essentially the same thing. It is based around the Implicit, browser-driven flow described in section 4.2 of the specification. In that case, the client is issued a short-lived access token. However, it can send that token to the server, and the server can then exchange it for a long-lived access token, similar to the use case of the one-time code. That process is described in the Javascript SDK documentation.
All of this is to say that I wouldn't worry too much about what is or isn't "OAuth". Most of these authorization services are based on the same basic OAuth concepts, but because the specification is quite general none of them work exactly the same way. Just figure out which flow works best for your application and use that.
Dropbox currently supports oAuth1 and oAuth2.
I was looking for deadlines for oAuth1, but found none.
Are there any plans to discontinue oAuth1 on behalf of oAuth2? If so, what is the deadline?
We'll keep supporting OAuth 1 as long as we support v1 of the API. (And v1 is the current version.)
I am a total noob in Scala, I am just learning. So I am writing a server in Scala and I need to login to Github to access a repository. Are there any libraries that implement an OAuth consumer that I could use? I come from Ruby, and there is Warden that I used in the past. I am looking for something like that...
There are two versions of OAuth, OAuth 1 and OAuth 2. Github uses OAuth 2. The Play Framework authors, for one, consider OAuth 2 sufficiently simple to implement yourself that they don't provide a helper for it.
However, Google says:
"Given the security implications of getting the implementation correct, we strongly encourage developers to use OAuth 2.0 libraries when interacting with Google's OAuth 2.0 endpoints"
(I know Github isn't a Google endpoint, but this security point is valid for any website protected by OAuth.) And Google provides a generic OAuth 2 client for Java, and because Java code can be called from Scala, you can use that.
However, note that certain Github API calls (I think it's ones that access public repositories) don't require any authentication.
You will, however, need to set the User-Agent header to the name of your application in each HTTP request.
Based on the question I asked here, but I wanted to get feedback from the stackoverflow community on this.
It seems from my tests using the twitter API with oauth that oauth_verifier check that should be done by the service provider (twitter) in step E of http://oauth.net/core/diagram.png is not being done by api.twitter.com; this happens whether the oauth_callback is oob or a regular callback url.
To test this on twitter is simple: just don't send the oauth_verifier parameter as part of step F for acquiring an access token.
This issue should be easy to reproduce, but if necessary I can post my test code.
The oauth_verifier was part of the solution to the session fixation threat, and was only introduced in the oauth 1.0a specification. Because of this twitter API may still not be forcing application developers to use it to avoid breaking backwards compatibility.
Is this correct? Or am I misinterpreting the oauth specification?
Does this also happen with other APIs that should be compliant with oauth1.0a? (LinkedIn etc..)
ps - This question is somewhat related but the issue no longer applies because twitter is returning the oauth_verifier for both types of callbacks (oob and regular callbacks).
I got a reply from the official twitter discussions:
Currently the API supports both the OAuth 1.0 and OAuth 1.0a authorization flows. We strongly encourage developers not using OAuth 1.0a to update their code as soon as possible.
I digged much into internet, but being newbie, couldn't do much.
I have summed up the following :
Facebook Chat can be used via two Authentication (via Facebook Chat API official documentation) :
1> X-FACEBOOK-PLATFORM
2> DIGEST-MD5
1> X-FACEBOOK-PLATFORM Method has very less documentation, none being official, closest using pyfacebook & pyxmpp (The official facebook chat api page has a reference at the end). Implementing the both to GAE is another headache, apart from the debug problems suffered hence. The creation of apps and using its ID as stated in some resources is not a problem though. I found a nice GAE walkthrough of pyfacebook on riccomini.name/Topics/Web/GoogleAppEngine/FacebookConnect/
2> DIGEST-MD5 is the common method of username - password which can be carries out by any xmpp client. So i though i could use a XMPP python client library like xmpppy which suited me best (as i don't need advanced functions)
Coming staraight to my question : is my inference correct? I am thinking to proceed via Method 2 (Im well aware of the security risks involved in MD5 crypting of password, please don't remind me of that). I could find no refence of using xmpppy with GAE, so am I proceeding correct?
Could anyone provide me a reference of xmpppy used along with GAE ??
(I'm sorry if i was unclear. Cant help, i am no silicon valley engineer but a simple student of age 15yrs)
You can't connect to external XMPP servers using App Engine, so if Facebook requires it for chat integration, this isn't possible.
GAE has a built in XMPP service. Perhaps you can use that instead of xmpppy.
http://code.google.com/appengine/docs/python/xmpp/overview.html
You should have a look into XEP-206 (XMPP Over BOSH) for connecting to XMPP through HTTP-protocol. http://xmpp.org/extensions/xep-0206.html
I don't know if FaceBook supports BOSH though.
You need c2s-protocol to talk to FaceBook, as the s2s-protocol (federation) is not implemented by FaceBook.