Simon Willison’s Weblog

46 items tagged “oauth”


Get your own Pocket OAuth token (via) I hate it when APIs make you jump through extensive hoops just to get an access token for pulling data directly from your own personal account. I’ve been playing with the Pocket API today and it has a pretty complex OAuth flow, so I built a tiny Flask app on Glitch which helps go through the steps to get an API token for your own personal Pocket account. # 5th October 2019, 9:56 pm

datasette-auth-github (via) My first big ASGI plugin for Datasette: datasette-auth-github adds the ability to require users to authenticate against the GitHub OAuth API. You can whitelist specific users, or you can restrict access to members of specific GitHub organizations or teams. While it’s structured as a Datasette plugin it also includes ASGI middleware which can be applied to any ASGI application. # 8th July 2019, 4:28 am


python-twitter/ Creating an OAuth token for accessing a specific Twitter account is way harder than it needs to be. I was about to write my own command-line script for doing this using PIN-based authentication (where you pop open a browser showing the Twitter login flow, then get a PIN number at the end which you paste back into your script) when I discovered that the python-twitter library already ships with a script to do exactly that. Just run “python”, paste in your app’s consumer key and secret, follow a link, enter the resulting PIN and the script will spit out the consumer_key / consumer_secret / access_token_key / access_token_secret combo you need to start using the Twitter API. # 28th October 2018, 5:25 pm


What are some scalable OAuth and OpenID server implementations?

Any OAuth library should scale horizontally—I can’t see how any one library would be a better choice than another.

[... 36 words]

How do you correctly send the oauth_verifier parameter using python-oauth2 and the Twitter API?

This seems relevant:

[... 87 words]

Are there any well-known websites that use Facebook connect or Twitter OAuth as the only sign-in solution without its own sign-in password?

Our site only accepts Twitter OAuth logins (at least for the moment).

[... 42 words]

RasterWeb: Lanyrd. Pete Prodoehl calls me out on Lanyrd’s integration with the Twitter auth API at the expense of OpenID. I’ve posted a comment with my justification—essentially, tying to Twitter’s ecosystem means I can actually implement the features I’ve been talking about building on top of OpenID for years, with far less engineering effort. # 31st August 2010, 8:49 pm

simplegeo’s python-oauth2. The Python OAuth library scene is frighteningly complicated at the moment. This seems to be the most actively maintained, and the readme includes working example code for talking to the Twitter API (including integration with Django auth). # 18th July 2010, 5:22 pm

App Engine at Google I/O 2010. OpenID and OAuth are now baked in to the AppEngine users API. They’re also demoing two very exciting new features—a mapper API for doing map/reduce style queries against the data store, and a Channel API for building comet applications. # 20th May 2010, 3:30 pm

RFC5785: Defining Well-Known Uniform Resource Identifiers (via) Sounds like a very good idea to me: defining a common prefix of /.well-known/ for well-known URLs (common metadata like robots.txt) and establishing a registry for all such files. OAuth, OpenID and other decentralised identity systems can all benefit from this. # 11th April 2010, 7:32 pm


OpenID: Now more powerful and easier to use! The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age. # 25th September 2009, 9:08 pm

Exploring OAuth-Protected APIs. One of the downsides of OAuth is that it makes debugging APIs in your browser much harder. Seth Fitzsimmons’ oauth-proxy solves this by running a Twisted-powered proxy on your local machine which OAuth-signs every request going through it using your consumer key, secret and tokens for that API. Using it with a browsers risks exposing your key and token (but not secret) to sites you accidentally browse to—it would be useful if you could pass a whitelist of API domains as a command line option to the proxy. # 23rd August 2009, 11:06 am

Why an OAuth iframe is a Great Idea. Because users should a) learn to be phished and b) not even be given the option to avoid being phished if they know what they’re doing? No, no and thrice no. If you want to improve the experience, use a popup window so the user can still see the site they are signing in to in the background. # 16th July 2009, 8:29 pm

Teaching users to be secure is a shared responsibility

Ryan Janssen: Why an OAuth iframe is a Great Idea.

[... 570 words]

oauth-signpost. The Qype API uses OAuth to sign client requests with the developer’s API key, so it’s not surprising to see them release a Java OAuth signing library compatible with Google’s Android mobile platform. # 7th May 2009, 7:33 am

django-piston. Promising looking Django mini-framework for creating RESTful APIs, from the bitbucket team. Ticks all of Jacob’s boxes, even including built-in pluggable authentication support with HTTP Basic, Digest and OAuth out of the box. # 30th April 2009, 7:55 pm

Sign in with Twitter. Intriguing: Twitter are now an OpenID-style identity provider... using OAuth. # 20th April 2009, 4:10 am

As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter’s admin interface.

Blaine Cook # 6th January 2009, 9:37 am

The username/password key’s major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That’s a benefit, to be sure, but in Twitter’s case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.

Alex Payne # 5th January 2009, 10:47 am

Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder. # 2nd January 2009, 10:48 am


Now You Can Sign Into Friend Connect Sites With Your Twitter ID. Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along? # 15th December 2008, 5:20 pm

Skillswap goes Portable. Skillswap Brighton will be addressing OAuth and Data Portability on Wednesday. I’m annoyed to be missing it. # 21st November 2008, 10:25 am

OAuth in Minneapolis. OAuth looks like it’s on track for an IETF Working Group. # 20th November 2008, 6:55 pm

Best Practices for OAuth with Fire Eagle. “We insist that you must NOT use embedded rendering controls to present the OAuth process with Yahoo! and Fire Eagle”—that’s a clear nod towards the iPhone development community. # 16th October 2008, 11:23 pm

[REDACTED]. Now that the iPhone NDA has been lifted be prepared for a flood of useful tips about the platform. Here’s Craig Hockenberry explaining how iPhone URL schemes work (used to great effect in the Pownce app for returning to the right place post-OAuth authentication in Safari). # 1st October 2008, 10:34 pm

OAuth Playground (via) Neat OAuth API explorer from the Google Data APIs team. # 20th September 2008, 4:40 pm

Google wants your Hotmail, Yahoo and AOL contacts. And they’re using the password anti-pattern to get them! Despite both Yahoo! and Hotmail (and Google themselves; not sure about AOL) offering a safe, OAuth-style API for retrieving contacts without asking for a password. This HAS to be a communications failure somewhere within Google. Big internet companies stand to lose the most from widespread abuse of the anti-pattern, because they’re the ones most likely to be targetted by phishers. Shameful. # 15th September 2008, 10:39 am

OAuth on the iPhone. Mike from Pownce explains their superbly implemented OAuth flow for the Pownce iPhone app, and how much push-back they got on it from regular users. One interesting point is that an iPhone application could “fake” a transition to mobile safari using core animation as part of a sophisticated phishing attack. This is a flaw in the iPhone OS itself—it does not offer a phishing-proof chrome as part of the OS. # 12th September 2008, 9:47 pm

OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

Blaine Cook # 14th August 2008, 10:01 am

Reviews of the Pownce app on the iPhone app store on Flickr. I had to stitch together a screenshot because you can’t actually link to content in the App Store (unless you don’t care that people without iTunes won’t be able to follow your link). Three out of the four reviews complain about the OAuth browser authentication step, which is frustrating because Pownce have implemented it so well. # 12th August 2008, 11:05 am