Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation on setting/generating oauth_verifier missing #22

Open
Dynalon opened this issue Nov 1, 2012 · 1 comment
Open

Documentation on setting/generating oauth_verifier missing #22

Dynalon opened this issue Nov 1, 2012 · 1 comment

Comments

@Dynalon
Copy link
Contributor

Dynalon commented Nov 1, 2012

There is no documentation that tells one how to set or generate an oauth_verifier, but creating a random verifier and validating it is crucial to security. Additionally, in the Provider example on GoogleCode, there is no OAuth10AInspector added, which is UTMOST important to include, else the whole service can be compromised (as only the OAuth10AInspector verifies that the Verifier is actually the one in the token store). Without this Inspector, a client could just invent a verifier and would get (falsely) authenticated.

I've went through the code and I can't find any place where the IToken.Verifier field is generated/set (except when it is retrived to the POST data/Headers). I thus use the following in my code to store a Verifier (in the authorize step):

var context =  new OAuthContextBuilder ().FromUri (Request.HttpMethod, Request.Url);
var token = OAuthHandler.RequestTokens.GetToken (context.Token);
token.Verifier = Guid.NewGuid ().ToString ();

Please provide a better documentation regarding
a) Incldue a note that provider implementation must ALWAYS have OAuth10AInspector present
b) How to generate a oauth_verifier and storing it in the request token store
@bittercoder
Copy link
Owner

The googlecode site is old and should not be used as a reference.

The latest provider example is on github here:

https://github.com/bittercoder/DevDefined.OAuth-Examples/tree/master/src/ExampleProviderSite

And does demonstrate using the class DevDefined.OAuth.Utility.UnguessableGenerator to generate a verifier value.

The DevDefined.OAuth library is quite old - so was written originally prior to OAuth 1.0a against this standard:

http://oauth.net/core/1.0/

When OAuth 1.0a was introduced, support for 1.0a was implemented via additional inspectors, allowing people to still build 1.0 compatible clients/providers at the time.

Since then (and after I stopped actively developing DevDefined.OAuth for my own needs) the RFC5849 OAuth 1.0 standard came out, which again supersedes OAuth 1.0a.

Currently there are no new inspectors introduced for this RFC (so the DevDefined.OAuth codebase did not change from 1.0a to the release ofRFC5849).

Sorry about the lack of documentation - I'm not actively developing this project any longer, as it currently scratches my itches, and for future projects would generally favor OAuth 2.0 over 1.0 when implementing a new provider, unless having to support a technology such as open social gadgets.

Cheers,

Alex

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bittercoder @Dynalon