OAuth is a joke.

March 13, 2010

From oauth.net, OAuth is

An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

Unfortunately, as it turns out, OAuth is neither simple nor standard in practice. In case you don’t care to read the tutorials, OAuth works something like this:

  1. You request a consumer key and consumer secret from a “service provider” (such as Twitter).
  2. You use this consumer key and secret to request a “request key” (insecure).
  3. You use the request key to generate a URL that the user can go to to authenticate.
  4. You either do, or don’t, pass a callback URL to the above request to receive the response token.
  5. Your callback URL gets hit, which contains the token needed to request an “access token” and “access token secret”, which may or may not expire or become invalid at any time.

These steps, however, are not so clear cut when you actually start using service providers which offer OAuth authentication.

Let’s look at the behavior of some big-name web services which have adopted OAuth.

Twitter logo

Twitter, I think, has taken a progressive approach to OAuth authentication. If you don’t pass a callback URL, you get a pretty screen prompting the user to deliver a PIN code to the application from which you’ve come.

Twitter pretty pin entry

This looks great, right? Well, if you try the same stuff on TripIt, you just get the return data.
TripIt logot

Response:

oauth_token=935394b819ab32c9558e7063dbb3bcda9c274a00

TripIt presents no user display, so you’re stuck if you didn’t want to a provide a callback URL. Once you understand that Twitter just does things differently, you begin to assume that using a callback URL would work swimmingly. Well, if you wanted Twitter support, you just lost it. Look at Twitter’s response to a request with a callback URL specified:

Response URL:

http://stefankendall.com:8080/test.jsp?oauth_token=0yLxRrUoxHJxA0tF8hJSxP2EHfFaYyw1a3nW4Dqg&oauth_verifier=Alzk3ehPRq6bbjvISlgXqn9Jk7yZJlmst0jtXpg

That’s right. TWO values, whereas TripIt just provided one. You’ll notice that oauth_token is now the token you requested with, and oauth_verifier is the real data you need. This is a direct contradiction in the naming and response schemes of TripIt and Twitter. Oy vey.

I would go on about Netflix, but that’s a jump down the rabbit hole I’m not willing to take right now.

OAuth is a joke, and as it stands, it’s neither simple nor a standard. Good grief.

tags:
posted in prog by Stefan Kendall

Follow comments via the RSS Feed | Leave a comment | Trackback URL

Leave Your Comment

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org