OAuth

From IndieWeb
(Redirected from oauth)

1529124811_67fcabab2d_q.jpg

OAuth is an authorization protocol created to replace the need for client applications of a service (e.g. a silo) to ask for your username and password to the service in order to access the service on your behalf.

Silo Examples

These are only a few of the silos that support OAuth. Silos typically support OAuth as the authorization flow for their own proprietary APIs.

See FreeMyOAuth for a summary of popular silos that support OAuth, and quick links to see which apps you have authorized for each silo.

Github

Github supports OAuth and has potential for a very complicated permissions screen.

Example: Travis Cl asking for / changing OAuth permissions on Github

17115999031_9d2d6be6f9_o.png

Map Me At

Map Me At had an interesting OAuth like permissions screen for use with the defunct Fire Eagle.

fireeagle.png

Twitter

Twitter shows a list of applications that have been granted permission to your account, and provides some info about the type of access they have.

Tools

The OAuth Playground is an interactive tool that walks you through the various OAuth flows step by step.

Brainstorming

UI ideas

Twitter Mockup


Troubleshooting

Twitter API

As of 2013-06-11 Twitter has switched to requiring v1.1 (or later?) of their API. v1.0 has been turned off. v1.1 is pickier about the way it handles OAuth. You may run into the following problems.

Error 0 before authorization prompt

If the authenticate request returns an error 0 before you even see the Twitter authorization prompt screen, and you are using the latest tmhOAuth.php, you may need to:

  • make sure that you have the file "cacert.pem" in the same directory as your tmhOAuth.php.

Verify after authorization prompt does not work

For relmeauth.php in particular:

  • If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it just bounces back automatically right back to the RelMeAuth sign-in screen (not signed-in).
  • Then check out RelMeAuth branch tmh_june_2013_update and see if that fixes things.

After authorization prompt Error 401 Invalid request token

For relmeauth.php in particular when using tmhOAuth.php:

  • If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it provides an Error 401 message and the $tmhOAuth->response['response'] is 'Invalid request token'
  • Then: make absolutely sure you're using tmhOAuth.php version 0.8.2 or later. Double check this at the top of the tmhOAuth.php you're using on your server.

Verify after authorization prompt still does not work

For relmeauth.php in particular when using tmhOAuth.php:

  • If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it just bounces back automatically right back to the RelMeAuth sign-in screen (not signed-in).
  • Then in "function verify", where it sets "$_SESSION['relmeauth']['name'] = $creds[ ", do a var_dump($creds);

That should fix the problem.

Criticism

  • 2012-07-26 Eran Hammer: [1]

Books

Articles

  • 2024-08-24 Zai Shi: OAuth from First Principles (archived):

    I'll start off with an awfully flawed implementation that authorizes a user with a 3rd-party app, and then continuously attack it until we arrive at something that's secure, kind of.

See Also