Re: [Snowy] OAuth in Snowy
- From: Sandy Armstrong <sanfordarmstrong gmail com>
- To: Stuart Langridge <stuart langridge canonical com>
- Cc: snowy-list gnome org
- Subject: Re: [Snowy] OAuth in Snowy
- Date: Thu, 11 Jun 2009 08:12:34 -0700
On Thu, Jun 11, 2009 at 7:29 AM, Stuart
Langridge<stuart langridge canonical com> wrote:
> Sandy Armstrong wrote:
>>> I specified consumer key and consumer secret for Tomboy as "tomboy" for
>>> each. Since it's open source the key and secret are relatively
>>> irrelevant, and are not secret (this is a thing about OAuth generally,
>>> not specific to our implementation of it); they're like a user-agent
>>> string (as you note), so they're useful as an optional "flag" (so you
>>> can say "throttle 'tomboy' because it's got a bug in it, or similar).
>> Okay, that makes a lot of sense (assuming it doesn't somehow hurt
>> cryptographic integrity of the rest of the signature stuff). Still,
>> all server implementers need to collaborate on those.
> Sort of; if you're a server implementor, you could just allow *any*
> consumer key/secret combination, rather than limiting it to certain
> specific ones?
Well, that won't really work unless you always use PLAINTEXT, as the
consumer secret is part of the signature key and should be a known
However, per the OAuth spec:
"The Consumer Secret MAY be an empty string (for example when no
Consumer verification is needed, or when verification is achieved
through other means such as RSA)."
Maybe that's the best approach.
Do we know if django-piston supports automatically adding new consumer
keys that appear in requests? Probably not...we should probably
implement that part ourselves.
] [Thread Prev