[OSM-dev] OAuth down

Pierre GIRAUD pierre.giraud at gmail.com
Sat Nov 19 19:15:36 GMT 2011 

Hey Tom,

Thanks again for your efforts!
I'm now using 1.0a (setting a callback when requesting a token) and it
works fine again.

My concerns now are to avoid the authorization multiplication ie. to
prevent users from being asked several times for a permission they
already gave.
Shouldn't there be a mechanism that verifies that the application has
already been authorized?

In this application [1] described here [2], once the user has
authorized the application, he can log in again and again without
being asked for permission unless he goes to the profile and revokes
the authorization intentionaly.
[1] http://facebook-auth.appspot.com/
[2] http://facebook-python-library.docs-library.appspot.com/facebook-python/examples/oauth.html

Here's the workflow (succession of pages with their respective status
code or user actions):
1/ appspot home -> user clicks on login link -> appspot login (302) ->
FB authorize (302) -> FB permissions.request (200) -> user click on
authorize button -> FB permissions.request (302) -> appspot home (200)
2/ appspot home -> user clicks on logout link -> cookies are reset
3/ appspot home -> user clicks on login -> appspot login (302) -> FB
authorize (302) -> FB permissions.request (302) -> appspot home (200)

Is it possible to have the same behavior with 1.0a? Do I have to do
something specific on my side? Or is it something that needs to be
handled server-side?

Cheers,
Pierre


On Sat, Nov 19, 2011 at 6:48 PM, Tom Hughes <tom at compton.nu> wrote:
> On 19/11/11 12:00, Pierre GIRAUD wrote:
>
>> As already said, I don't claim any specific version. Which is somewhat
>> wrong. Or maybe the library I use does it for me.
>
> That is actually valid as 1.0 is the default, and 1.0a doesn't actually use
> a separate version - it is triggered by the presence of the callback
> parameter when creating a request token.
>
> You were in fact correct that I had broken 1.0a last night when I fixed the
> 1.0 callback handling... That is now fixed, and we have 240 new assertions
> in our test suite to try and make sure we don't break OAuth again in the
> future.
>
> For the record you should use 1.0a if possible as 1.0 has security issues
> and we should really stop allowing it - we just need to make Potlatch and
> JOSM use 1.0a first...
>
> Tom
>
> --
> Tom Hughes (tom at compton.nu)
> http://compton.nu/
>



-- 
-------------------------------------------------------------
  | Pierre GIRAUD
  | http://pierrelebricoleur.blogspot.com
  | http://www.flickr.com/photos/pierregiraud
-------------------------------------------------------------

More information about the dev mailing list