What is Reddit's opinion of
OAuth?
From 3.5 billion Reddit comments
➔ OAuth website
By popularity on Reddit, this Service is:
21 reviews of this app found across Reddit:
Actually, sessions are a bad practice when facing a REST API.
REST is / should be stateless. Meaning, every request should be able to identify themselves after an authentication happened.
Either via access_tokens in the header, or via Bearer - Tokens, SSL and OAuth 2.
Having a session really defeats the purpose of having a REST implemented.
$0.02.
It's okay with Netflix and native apps...
But assuming you would want to use a third party app to access some service you use.
Like, if you want to give access to your Twitter/Facebook/Google account inside the Netflix app, I guess the developers would need a webview to use OAuth to do that. They would show a WebView with the "Connect to Google" login page or something like that.
Any service that use the "Login with Facebook" or "Login with Google" features would need that.
There are a few reasons. Like others have said, more targeted ads means more revenue per user. On top of that, it's simpler to just hit a button and be done with the login than to register with a new site you need to keep credentials for. You also don't need to worry about that website potentially storing your credentials unsafely since it's all to Facebook/Google+. See OAuth 2.0
+1 This will work great for many authentication flow needs
I would also suggest looking into OAuth 2.0 as well, below is what caught my eye
> What I'm looking for is simple user creation/registration, 'logging in' to generate temporary API keys and assigning/revoking custom API keys for a user.
Example for JAX-RS (Jersey)
>It probably can't share account with non apple device. (how can they possibly do it without google giving access to registration system) .
Google doesn't give registration system access to all of those smaller sites using "Sign in with google" buttons
Its all done through API's with a protocol called oauth.
Google can still revoke Apple's access to the API, but I see that as unlikely because google would be forcing android users to make apple accounts instead of using their own. Apple can decide not to implement because more android users on apple music would mean more itunes accounts, and this seems more likely a reason if third party accounts are not supported.
Google Identity Platform Documentation
Edit: Grammar and Formatting
FB has no problems asking for your Gmail/Yahoo/whatever password but any and all FB authentication has go to through their servers. I'd like to see FB push their partners to adopt better practices.
Anyhow. Open standards like oauth are available to protect your authentication information but it's up to the website developer to implement them. FB just happens to be ahead of the curve on this, probably because they are a huge target.
With that type of need, there is a sliding scale in how you can get this done.
Free, DIY: The easiest way would be to have a developer work with Oauth.
Not free but easy to implement: If you don't want to spend too much time building out the authentication piece yourself, Auth0 should get you where you need to be.
Very not free but super easy to implement: If neither of those options suit what you're looking for... not sure what the cost of FullContact is, but LoginRadius has a $495/month plan.
This article covers the idea behind oauth message signing:
http://hueniverse.com/2008/10/03/beginners-guide-to-oauth-part-iii-security-architecture/
It first covers some other ways for API security and the problems with them which is worth a read; however, not too far down is a section titled "Signature and Hash" that is were it starts talking about message signing. I encourage you to read the entire thing though.
Here is a list of oauth libraries for most any language, including javascript which you can use for your static page:
Most of the libraries probably include the messaging signing as something that can be called standalone. Keep in mind the client and server has to recreate the signatures exactly or they won't match, if the libraries are bug free this won't be an issue, but if you are using two different libraries because of using two different languages then keep the possibility of bugs in mind.
BTW, here is the oauth 1 RFC, section 3.4 talks about message signing, RFC's are very formal and technical but reading this section will show why getting oauth messages signing correct is so hard, and you should use a library: https://tools.ietf.org/html/rfc5849#section-3.4
Thanks chairmanrob. We had a few technical challenges around getting Keystone/Horizon to play well with the backend authentication code on Kilo and securing the new /24, DC equipment and space ready and other work endeavours taking time but overall we had some great support from the community and partners. We'd like to have built it out again sooner in its new home, but alas that's sometimes how it goes.
Expect to see OpenStackID/OAuth2 integration coming in the future as an alternate authentication method as well.
Rsync is best secured through OpenSSH, but it's kind of a moot point, since I seriously doubt users that didn't like SFTP are going to get on-board with rsync.
Sounds like you need something HTTP-based. Maybe you should look into a web-app framework like Ruby on Rails? With something like that you can have users log in using their Twitter user/pass, or any service that offers oauth.
I'm pretty sure that facebook and google are used only for login. phab3k also never implied that pushbullet is dependant on the login. He just said that you have no idea how these services work.
Through the auth process, they do get some basic data about you, yes. The exact same data they get when you visit any of their websites.
How do I know if metadata isn't hitching a ride along? Because it can't. OAuth does not support adding extra data to it, it just supports authentication.
For more information about the login system, visit this page. That is the login system used by both google and facebook.
Or if you don't believe that, have a look at what facebook accepts for their login system.
Ah so that's why it's broken. Ok, native twitter api (OAuth makes this a bit more of a mouthful)..
curl --request 'POST' 'https://upload.twitter.com/1/statuses/update_with_media.json' --header 'Authorization: OAuth oauth_consumer_key="key", oauth_nonce="nonce", oauth_signature="signature", oauth_signature_method="HMAC-SHA1", oauth_timestamp="timestamp", oauth_token="token", oauth_version="1.0"' --verbose -F "media[][email protected]" -F "status=My image description" --header "Expect: "
If you're seriously into this sort of thing, you might take a look at OAuth. Unless the "n00b" part only applies to your design and not your development skills, however, this might be above your skill level to begin with.
I agree with zzzeek's general point. In this case there are general-use libraries for this, for example SimpleGeo's python-oauth2. The README for that project even describes (with code snippets) how to get it working with Django, using Twitter as the OAuth authenticator.
The "code" page on oauth.net cites the above as the go-to Python implementation (though there are plenty of GitHub forks if that specific variant doesn't float your boat).
But I suppose there'll always be people who want it packaged up as much as possible for Django, Flask etc.
BTW, if you use the SimpleGeo solution, I claim the bounty ;-)
For OpenId Connect, the OAuth payload that you receive has the ID of the user and the URL of the service that accepts that ID. These two pieces of data should be enough to uniquely identify the user in your system.
Let me see if I am getting this correctly:
- You have a website on either shared or dedicated hosting -- doesn't really matter that much.
- You want your website to talk to a third party service (e.g.: you're in business with another company and they want to white list your website to perform API calls to their backend)
- You need to figure out the IP address to tell them, so your website can talk to their API
Is that correct?
If that is correct:
Even though the publisher might be huge, it is "incredibly stupid" as that is not secure -- The wikipedia article tells you the basics as to why this is stupid:
> IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without authentication.
The proper way is to do a proper authentication (e.g.: OAuth 2.0 or something else) on the API you're trying to exchange data over.
You should talk to your host about whether or not you can get a static out-going IP address for your use case. Typically, with most hosting providers, your IP address won't change; so you could just send a request to see what IP address it is now, and run with it. However, you would want to verify before sending that information for white listing.
Yes, that method is also called OAuth.
But as I mentioned, there's no guarantee the users will have any of those accounts, thus an alternative sign in method should be implemented anyway.
I'm not familiar with that product, but OAuth is one of the more common authentication protocols in web dev. The real question is though is what exactly are you trying to achieve? There are always multiple ways to do things and no "right" answer, just one that suits your particular situation best.
Paul Betts' blog post on the matter is good.
There's also this MSDN post.
Edit: looks like the OAuth site has some good leads on OAuth libraries for .NET
Hello folks, thought I would just make a comment. My name's Anthony. I'm the guy behind the Panguin Tool and I work at Barracuda Digital.
First of all, thanks for taking a look!
My esteemed colleague, Juan is the chap who did the back end development and hooked in the Google API etc. He reliably informs me that we do NOT in any way gain access to your GA data. And rest assured, this is certainly not what we set out to do.
This is what we're using for the authorization: http://oauth.net/2/ Am again told that this is pretty standard for this sort of app and keeps your data safe.
Please let me know if you're still not satisfied. Would love for you to use the tool as it was intended.
OAuth is very picky - I would use a library from http://oauth.net/code/ if you aren't already.
In my case, I adapted the code from this blog post: It extends the oAuthBase.cs code from the above link.
http://www.voiceoftech.com/swhitley/index.php/2010/02/twitter-oauth-with-net-for-the-desktop/