smart.fm OAuth が OAuth 1.0a に対応します。(+OAuth 1.0a 対応方法概要) - 京の路
smart.fm OAuth が OAuth 1.0a に対応します。(+OAuth 1.0a 対応方法概要) 雨つゆに 鐘の音ひびく 京の路 ruby oauth gem も rails oauth plugin も OAuth 1.0a 対応になったので、smart.fm も OAuth 1.0a に対応することにしました。 実装は既に終わったので、予定通りだと明日の昼前に本番に反映される予定です。 OAuth の脆弱性が発見されてから、暫定的に以下の2つの制約を加えましたが、OAuth 1.0a 対応でどちらの制約も外れます。 authorize 時に渡される oauth_callback を無視 request token の有効期間もかなり短く ただし OAuth 1.0a では oauth_callback を指定するタイミングが authorize 時から get reque
Implementer Draft: OAuth Core 1.0 Rev A (Draft 3)
Abstract The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication. An example use case is allowing printing service printer.
OAuth Update #3, Revision A (Yahoo! Developer Network Blog)
All Yahoo! services using OAuth are now upgraded to the new OAuth 1.0a version of the protocol, resolving the session fixation security issue. The upgraded services include all Y!OS APIs (Contacts, Updates, Status, and Social Directory) and Fire Eagle. Users authorizing applications using OAuth 1.0a will not see the security interstitial screen that is displayed for apps that are still using the o
OAuthのセッション固定攻撃について(翻訳) - ものがたり(旧)
Explaining the OAuth Session Fixation Attackという文章が興味深いものだったので翻訳してみた。何か解決策を思いついた人はOAuthのメーリングリストに送ってあげると良いと思う。って僕は参加してもいないのだけど。あと誤訳とかはコメントしてもらえれば対応します。ワタクシ実のところOAuthなんて使ったこともなかったりして。 (原文はリンク先にもある通り、Eran Hammer-Lahav氏からcc-by 3.0 usで提供されている。) 追記: 日本でもニュースになっていた: http://www.atmarkit.co.jp/news/200904/23/oauth.html 追記2: 元記事の画像がアップデートされていたので、追従して更新 以下翻訳: 先週、われわれが発見して対応したOAuthのプロトコルセキュリティ問題には語るべきことが多くある。
OAuth / OAuth Session Fixation Advisory
There is a session fixation attack against OAuth 1.0. There is a security advisory. There have been a lot of mailing list threads on this. There was a meetup on Friday to talk about the problem. Folks from Yahoo, MySpace, Google, LinkedIn, and Plaxo attended. We discussed two proposals: Signed Callback URLs Signed Approval URLs (A large number of other proposals were discussed briefly, but aren
OAuth: 2009.1 OAuth Security Advisory
OAuth Security Advisory: 2009.1 23-April-2009 A session fixation attack against the OAuth Request Token approval flow (OAuth Core 1.0 Section 6) has been discovered. Impact All standards-compliant implementations of the OAuth Core 1.0 protocol that use the OAuth authorization flow (also known as ‘3-legged OAuth’) are affected. Details The attack starts with the attacker visiting the (honest) Consu
OAuth Update (Yahoo! Developer Network Blog)
As you may know, several Yahoo! APIs use OAuth, an open standard that lets users give a service permission to access the information they’ve stored with a third-party website without exposing their password and account information. The Yahoo! APIs that leverage OAuth include our Y!OS Social Directory, Contacts, Status, and Updates APIs, as well as Fire Eagle. Recently, the folks at OAuth let us k
Security flaw leads Twitter, others to pull OAuth support - CNET
Culture Security flaw leads Twitter, others to pull OAuth support Use of the open-source protocol has been put on hold by some major Web services until a security issue has been resolved, developers tell CNET News. A security hole in OAuth, the open-source protocol that acts as a "valet key" for users' log-in information, has led services like Twitter and Yahoo to temporarily pull their support, C
Implementers' Draft: OAuth Session 1.0 Draft 1
Abstract This specification defines the concept of an Authorization Session which represents the authorization granted to the Consumer to access Protected Resources on behalf of the User. OAuth Core 1.0 assumes that the Authorization Session lifetime and the Access Token lifetime are equal. This specification defines a mechanism for Service Providers to issue Access Tokens with shorter life
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
http://hueniverse.com/2009/11/wrap-and-the-demise-of-the-oauth-community/
https://hueniverse.com/2010/01/whats-going-on-with-oauth/
http://hueniverse.com/2009/02/beyond-the-oauth-web-redirection-flow/
added Agent · lyokato/p5-oauth-lite@d41c63b
Internet Identity Research - Auto-Detecting Approval
Google Groups
OAuth functionality partially restored
OAuth / OAuth Session Fixation Advisory 
Build Your First App - Yammer
http://www.hueniverse.com/hueniverse/2009/04/explaining-the-oauth-session-fixation-attack.html
Twitter's official comment on our disabling of OAuth