Jonathan Rochkind wrote: [...]
> But if you just want to "publish an OAuth-using client that's not easy
> to impersonate" -- well, it depends on what you mean. Do you mean you
> want the server to know that the client application, that is distributed
> to end-users, is "The Twitterific Client", in a crypto-secure way? You
> indeed can not do that. This is not OAuth's fault, it's the universe's
> fault. There is no way to do this absolutely reliably, although the DRM
> people sure try, and Facebook tried, causing the problems that blogger
> was complaining about. There's no other solution that will do that
> either, it's not a unique failing of OAuth, and it's not the problem
> domain OAuth was trying to solve, mainly.
Mainly? Why does it include something that even looks like a solution
to a problem that is actually insoluble?
What problem was it trying to solve? If it was "a process for
end-users to authorize third-party access to their server resources
without sharing their credentials" then I feel a simpler method is
possible, as described below. (Quote from RFC 5849)
> Do you not care about authenticating that the client software is "The
> Twitterific Client", but you just care about knowing that Joe Smith has
> authorized it (whatever it is) to access Joe Smith's twitter account?
> Ah, now THAT is indeed the use case of OAuth. The first one was not the
> use case of OAuth, and Facebook trying to use OAuth anyway to accomplish
> it is what causes the problems.
What is the use case? http://oauth.net/core/1.0a/ claimed "OAuth
creates a freely-implementable and generic methodology for API
authentication." Shouldn't we expect generic authentication to
include authenticating both peers?
I feel that OAuth has tried to be jack of all trades.
> How do you do this? By, as mentioned in the blog post you cited,
> following the OAuth specs recommendations, unlike Twitter:
>
> "In many applications, the Consumer application will be under the
> control of potentially untrusted parties. For example, if the Consumer
> is a freely available desktop application, an attacker may be able to
> download a copy for analysis. In such cases, attackers will be able to
> recover the Consumer Secret used to authenticate the Consumer to the
> Service Provider. Accordingly, Service Providers should not use the
> Consumer Secret alone to verify the identity of the Consumer." [right
> from the OAuth spec; that Twitter may have ignored this is not OAuth's
> fault].
I think we're rehashing what's written in links already posted, but
that section continues "Where possible, other factors such as IP
address should be used as well" which seems somewhat inadequate
as an authentication component.
The specs don't really give any positive direction on how to handle
published Consumer applications, so I feel it's not surprising that
Twitter and others filled the vacuum with silliness.
> Yes, to do this, OAuth requires one of two workflows, neither ideal:
> 1) Redirect to Twitter where the user logs in, and is then redirected
> back [...]
> 2) Have the user enter their twitter login/password directly in client
> application, which then sends it on to twitter. [...]
> Not ideal, true. But no other solution is going to do better, because
> that's just how the universe works, unless some genius can come up with
> something nobody's thought of yet.
The authentication workflow isn't the problem. It's this consumer
secret nonsense. I've been pointed at Yahoo's CCK which looks like
an API to work around this problem with OAuth:
http://developer.yahoo.com/oauth/guide/create-consumer-key-guide.html
But what's wrong with the idea of a CCK-like way of creating a
subsidiary username with limited privileges and communicating that
back to the app for use? The authentication workflow can even be the
same.
In other words, apart from this consumer secret confusion, what does
OAuth add to this field which wasn't already there with HTTPS
authentication and cookies?
Confused,
--
MJ Ray (slef), member of www.software.coop, a for-more-than-profit co-op.
Webmaster, Debian Developer, Past Koha RM, statistician, former lecturer.
In My Opinion Only: see http://mjr.towers.org.uk/email.html
Available for hire for Koha work http://www.software.coop/products/koha
|