Re: [Snowy] OAuth in Snowy

On Thu, Jun 11, 2009 at 7:29 AM, Stuart
Langridge<stuart langridge canonical com> wrote:
> Sandy Armstrong wrote:
>>> I specified consumer key and consumer secret for Tomboy as "tomboy" for
>>> each. Since it's open source the key and secret are relatively
>>> irrelevant, and are not secret (this is a thing about OAuth generally,
>>> not specific to our implementation of it); they're like a user-agent
>>> string (as you note), so they're useful as an optional "flag" (so you
>>> can say "throttle 'tomboy' because it's got a bug in it, or similar).
>> Okay, that makes a lot of sense (assuming it doesn't somehow hurt
>> cryptographic integrity of the rest of the signature stuff).  Still,
>> all server implementers need to collaborate on those.
> Sort of; if you're a server implementor, you could just allow *any*
> consumer key/secret combination, rather than limiting it to certain
> specific ones?

Well, that won't really work unless you always use PLAINTEXT, as the
consumer secret is part of the signature key and should be a known

However, per the OAuth spec:

"The Consumer Secret MAY be an empty string (for example when no
Consumer verification is needed, or when verification is achieved
through other means such as RSA)."

Maybe that's the best approach.

Do we know if django-piston supports automatically adding new consumer
keys that appear in requests?  Probably not...we should probably
implement that part ourselves.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]