Joseph Smarr - Latest Comments in Implementing OAuth is still too hard… but it doesn’t have to be

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Russs — Thu, 09 Jun 2011 14:44:42 -0000

It's now June of 2011 and I'm finding it very difficult to get an api interface figured out!

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Wil Tan — Thu, 19 Feb 2009 02:58:20 -0000

Thanks for presenting this action list. I agree that these will tremendously improve the developer accessibility for OAuth.

Regarding terminology confusion, that's very true with the sheer number of tokens coupled with possibly name collision with app-specific parameters (which could be called "api_key", or "secret"). It makes it so easy to get a typo or function parameters swapped. On FireEagle, two different access tokens (user-specific and general access) are used, which may make things worse.

I haven't dabbled in OAuth much, but my first experience was implementing the Fire Eagle widget on MojiPage. We use the Python OAuth library, and provide useful abstraction for the widget (also written in Python) so that it needs only call a few functions. Debugging was a tad harder than the usual web app, but it was a smooth ride on the whole.

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Daniel Rubio — Wed, 18 Feb 2009 20:40:09 -0000

I followed your comment on Dave Winer post.
Just thought I would mention it. The Google OAuth playground is the one thing that finally got me to understand the process, since its interactive showing the requests, headers, tokens and responses.
Its located here : http://www.googlecodesample...

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Luca — Wed, 18 Feb 2009 14:49:46 -0000

I think that all these ideas make perfectly sense, it would be ideal if recipes were collected for all of the OAuth libraries (i mean: having a version of the recipe for each library out there...).

In the meantime, today I have started to work on a prototype "transparent oauth provider", I should have something usable by tomorrow evening (day-job permitting :-) )

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Les Orchard — Wed, 18 Feb 2009 10:22:44 -0000

A “transparent OAuth Provider” is exactly what I was looking for when I started trying to help Dave, too. I've not yet had the chance until now to dive very deep into OAuth myself, and it's very easy to get one thing inexplicably wrong (eg. not url-encoding all the right parts) and have no clue what you got wrong because the signatures are necessarily so opaque.

Would be nice if the "training wheels" of a transparent provider could take all the client-side key/secret and duplicate the expected work for the client side as a cross-check.

Re: Implementing OAuth is still too hard… but it doesn’t have to be

dave — Wed, 18 Feb 2009 07:30:12 -0000

Why don't we have a dinner in March to discuss?

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Karl Adam — Wed, 18 Feb 2009 03:28:29 -0000

I don't know, personally I never found OAuth hard so much as just new. The problems that people are facing aren't so much with the hows, as Winer had the hashing and such correct, but didn't understand that concepts as to why certain things were being done. I grokked OAuth after looking at the Yahoo! OAuth guide which displayed a graphic of the handshake process and was clear to me how to move from unauthorized to authorized and authenticated.

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Joseph Smarr — Tue, 17 Feb 2009 23:38:12 -0000

Ryan-sounds great, and I'll definitely take you up on that offer! ;) It's clear to me that a little extra time and effort by people like you and me whose jobs and companies depend on OAuth being easy to make it so will be a wise investment indeed.

Re: Implementing OAuth is still too hard… but it doesn’t have to be

David Recordon — Tue, 17 Feb 2009 22:23:01 -0000

A bit like your OpenID recipe that you wrote a few years ago. We're planning to write this sort of guide for our book, but haven't started on the OAuth content yet.

Re: Implementing OAuth is still too hard… but it doesn’t have to be

Joseph Smarr — Tue, 17 Feb 2009 22:16:24 -0000

Actually I think the first step should be a good recipe guide and a companion "transparent provider" that the recipe uses. It would take the user through getting/writing a library, hitting a basic "hello world" up to a more complex API call, and it would provide lots of detail and feedback at each step. The idea is, we could tell developers to "first get your code working against this extra-friendly OAuth API, and then turn it to twitter or whoever else you want o hit, since then you'll be confident that it at least works in theory already." And yes, I agree that these types of developer aids are necessary for all the Open Stack building blocks!

Re: Implementing OAuth is still too hard… but it doesn’t have to be

David Recordon — Tue, 17 Feb 2009 22:05:39 -0000

Makes sense and I think that these lessons and ideas are true for a lot of technologies. If the OAuth community were to attack this list, what order do you think makes sense? Is a validator the most important thing to build first?