Simon Willison’s Weblog

Subscribe
Atom feed for oauth

50 items tagged “oauth”

2008

Google wants your Hotmail, Yahoo and AOL contacts. And they’re using the password anti-pattern to get them! Despite both Yahoo! and Hotmail (and Google themselves; not sure about AOL) offering a safe, OAuth-style API for retrieving contacts without asking for a password. This HAS to be a communications failure somewhere within Google. Big internet companies stand to lose the most from widespread abuse of the anti-pattern, because they’re the ones most likely to be targetted by phishers. Shameful.

# 15th September 2008, 10:39 am / shameful, google, passwordantipattern, oauth, aol, yahoo, hotmail, ffs, security, phishing

OAuth on the iPhone. Mike from Pownce explains their superbly implemented OAuth flow for the Pownce iPhone app, and how much push-back they got on it from regular users. One interesting point is that an iPhone application could “fake” a transition to mobile safari using core animation as part of a sophisticated phishing attack. This is a flaw in the iPhone OS itself—it does not offer a phishing-proof chrome as part of the OS.

# 12th September 2008, 9:47 pm / oauth, iphone, security, phishing, pownce, mike-malone

OAuth came out of my worry that if the Twitter API became popular, we'd be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users' passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

Blaine Cook

# 14th August 2008, 10:01 am / security, passwords, phishing, oauth, blaine-cook, twitter, twitterapi

Reviews of the Pownce app on the iPhone app store on Flickr. I had to stitch together a screenshot because you can’t actually link to content in the App Store (unless you don’t care that people without iTunes won’t be able to follow your link). Three out of the four reviews complain about the OAuth browser authentication step, which is frustrating because Pownce have implemented it so well.

# 12th August 2008, 11:05 am / oauth, usability, pownce, iphone, security, phishing, appstore, itunes

Exposure (iPhone app) behaves suspiciously. Exposure on the iPhone does OAuth-style authentication incorrectly—it asks the user to authenticate in an embedded, chromeless browser which provides no way of confirming that the site being interacted with is not a phishing attack. Ben Ward explains how the Pownce iPhone app gets it right in the comments. Exposure author Fraser Spiers also responds.

# 12th August 2008, 7:47 am / oauth, exposure, flickr, iphone, ben-ward, phishing, pownce, security

The Open Web Foundation. Launched today at OSCON, an independent, non-profit organisation dedicated to incubating and protecting new specifications like OAuth and oEmbed. The focus is incubation, licensing, copyright and community.

# 24th July 2008, 5:40 pm / oauth, oembed, copyright, oscon, oscon08, openwebfoundation, openweb

Quick OAuth Notes. Yesterday’s XMPP Summit resulted in a proposed standard for using OAuth to authenticate XMPP streams.

# 23rd July 2008, 6:14 pm / xmpp, oauth

OAuth for Google Data APIs (via) Awesome. Now, how’s OAuth support shaping up over at Twitter (who are serious offenders when it comes to encouraging the password anti-pattern, despite Twitter engineers being key to the creation of the original OAuth spec)?

# 27th June 2008, 7:49 am / oauth, twitter, google-data, google, apis

We are happy to announce that the Google Contacts Data API now supports OAuth. This is our first step towards OAuth enabling all Google Data APIs. Please note that this is an alpha release and we may make changes to the protocol before the official release.

Wei Tu

# 26th April 2008, 10:15 am / weitu, oauth, google, googlecontactsapi

PownceFS. Not a joke: it’s a Fuse filesystem (written in Python, using OAuth for authentication) which exposes a directory for each of your friends on Pownce containing the files that they have uploaded.

# 22nd March 2008, 11:18 pm / pownce, python, oauth, fuse, powncefs, richardcrowley

wikinear.com, OAuth and Fire Eagle

I’m pleased to announce wikinear.com. It’s a simple site that does just one thing: show you a list of the five Wikipedia pages that are geographically closest to your current location. It’s designed (or not-designed) to be used mainly from mobile phones.

[... 1,190 words]

Windows Live ID Delegated Authentication. Would make life a lot simpler if they just supported OAuth, but at least they include sample code in Python, Ruby and PHP.

# 8th March 2008, 3:19 pm / python, ruby, php, microsoft, live, oauth, liveid

Yahoo!, Flickr, OpenID and Identity Projection

Via ReadWriteWeb, view source on a Flickr photostream page and search for “openid” and you’ll be rewarded with the following snippet:

[... 582 words]

2007

Thanks to OpenID and OAuth, the Open Social Web is Beginning to Emerge. My blog’s OpenID powered watchlist and “your comments” features got a write-up on Wired! Nice to know that someone has noticed them.

# 7th December 2007, 12:57 am / openid, oauth, wired, opensocialweb, watchlist

Call for Participation for XTech 2008. XTech 2008 will be in Dublin, Ireland from the 6th to the 9th of May. Lots of really interesting topics in the CfP (OpenID, OAuth, Comet, CouchDB...)—deadline for submissions is the 25th of January.

# 5th December 2007, 3:28 pm / xtech, conferences, cfp, openid, oauth, comet, couchdb

OAuth Core 1.0. The final spec. Expect to see this crop up all over the place in the next few months.

# 5th December 2007, 3:39 am / oauth, authentication, apis

I think it is well established that HTTP Authentication needs a major kick in the ass and OpenID and OAuth may get us most of the way there. However, until I see RFC#s attached to both I'm hardly going to consider them to be complete. I propose the creation of an IETF WG on Identity and Authentication. The WG would be chartered to produce two RFCs covering each of the two areas. OpenID and OAuth could be used to seed the WG effort.

James Snell

# 18th November 2007, 12:15 am / http, james-snell, openid, rfc, oauth, ietf, standards, standardisation

The password anti-pattern. What I don’t understand is why Google / Yahoo! / other webmail providers haven’t just deployed a simple OAuth-style API for accessing the address book. Sites have been scraping them for years anyway; surely it’s better to offer an official API than continue to see users hand out their passwords?

# 12th October 2007, 9:25 am / phishing, passwords, oauth, gmail, yahoo, google, jeremy-keith

Quechup: Another Social Network Enemy! This is why we need to stop teaching users that it’s OK to give their e-mail username and password to any site that asks for it.

# 21st September 2007, 11:36 pm / quechup, openid, oauth, socialnetworks, spam

OAuth: Your valet key for the Web. OAuth is a really important new specification that aims to solve the “give this application permission to do X on my behalf” problem once and for all.

# 21st September 2007, 11:34 pm / oauth, openid, specification, authentication, web-services, apis