Comments on: Implementing OAuth is still too hard… but it doesn’t have to be

By: Russs

Russs — Thu, 09 Jun 2011 18:44:00 +0000

It’s now June of 2011 and I’m finding it very difficult to get an api interface figured out!

By: Part time jobs

Part time jobs — Fri, 17 Dec 2010 14:23:00 +0000

Very nice article about implementing oath

By: Anonymous

Anonymous — Sun, 12 Dec 2010 04:33:00 +0000

The explanation as to where to include variables, whether it be in the header, or whether it be in the post, or what-have you, its very cryptic and frustrating as everyone seems to think the concept of hashing and passing back keys is the difficult concept. It’s not, formatting the requests properly is and so far I have not come across a decent explanation or even a fully reasonable testing ground with one exception based on a single twitter implementation.

Hashing is handled by the OS, there is nothing difficult about it.

I currently see it as a general failure on the part of the people doing the dumbing down in their explanations while failing to provide the specific details on their formatting for specific functions.

I am sure my opinion will change when I am done sorting through pages of code to figure out what it was the guy writing the service instructions actually meant to say.

Meanwhile, facebook connect explodes, and everybody who thought an overly complex protocol versus a straightforward secure process was the right path to choose can milk another fat paycheck.

By: dready

dready — Thu, 19 Feb 2009 12:58:20 +0000

Thanks for presenting this action list. I agree that these will tremendously improve the developer accessibility for OAuth.

Regarding terminology confusion, that's very true with the sheer number of tokens coupled with possibly name collision with app-specific parameters (which could be called "api_key", or "secret"). It makes it so easy to get a typo or function parameters swapped. On FireEagle, two different access tokens (user-specific and general access) are used, which may make things worse.

I haven't dabbled in OAuth much, but my first experience was implementing the Fire Eagle widget on MojiPage. We use the Python OAuth library, and provide useful abstraction for the widget (also written in Python) so that it needs only call a few functions. Debugging was a tad harder than the usual web app, but it was a smooth ride on the whole.

By: Daniel Rubio

Daniel Rubio — Thu, 19 Feb 2009 06:40:09 +0000

I followed your comment on Dave Winer post.
Just thought I would mention it. The Google OAuth playground is the one thing that finally got me to understand the process, since its interactive showing the requests, headers, tokens and responses.
Its located here : http://www.googlecodesamples.com/oauth_playground/

By: Luca

Luca — Thu, 19 Feb 2009 00:49:46 +0000

I think that all these ideas make perfectly sense, it would be ideal if recipes were collected for all of the OAuth libraries (i mean: having a version of the recipe for each library out there…).

In the meantime, today I have started to work on a prototype “transparent oauth provider”, I should have something usable by tomorrow evening (day-job permitting )

By: lmorchard

lmorchard — Wed, 18 Feb 2009 20:22:44 +0000

A “transparent OAuth Provider” is exactly what I was looking for when I started trying to help Dave, too. I've not yet had the chance until now to dive very deep into OAuth myself, and it's very easy to get one thing inexplicably wrong (eg. not url-encoding all the right parts) and have no clue what you got wrong because the signatures are necessarily so opaque.

Would be nice if the “training wheels” of a transparent provider could take all the client-side key/secret and duplicate the expected work for the client side as a cross-check.

By: dave

dave — Wed, 18 Feb 2009 17:30:12 +0000

Why don't we have a dinner in March to discuss?

By: thekarladam

thekarladam — Wed, 18 Feb 2009 13:28:29 +0000

I don't know, personally I never found OAuth hard so much as just new. The problems that people are facing aren't so much with the hows, as Winer had the hashing and such correct, but didn't understand that concepts as to why certain things were being done. I grokked OAuth after looking at the Yahoo! OAuth guide which displayed a graphic of the handshake process and was clear to me how to move from unauthorized to authorized and authenticated.

By: Joseph Smarr

Joseph Smarr — Wed, 18 Feb 2009 09:38:12 +0000

Ryan-sounds great, and I'll definitely take you up on that offer! It's clear to me that a little extra time and effort by people like you and me whose jobs and companies depend on OAuth being easy to make it so will be a wise investment indeed.