Created
May 19, 2009 00:42
-
-
Save mojodna/113834 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Updating Ruby OAuth Consumers to 1.0a | |
In response to April's [OAuth Security Advisory](http://oauth.net/advisories/2009-1), the OAuth community has penned a [new draft of the specification](http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html), titled 1.0a (currently in draft 3). This makes a number of changes to the flow: | |
1. providing an `oauth_callback` is now part of the Request Token stage (if the client cannot accept callbacks, the value MUST be _oob_) | |
2. `oauth_callback_confirmed` MUST be present (and _true_) when the SP issues a Request Token to the client | |
3. an `oauth_verifier` parameter is provided to the callback URL (or displayed if no callback URL was configured) and MUST be included when exchanging the Request Token for an Access Token | |
Code that once looked like this: | |
request_token = consumer.get_request_token | |
puts "Please visit the following URL to authorize this application:" | |
puts request_token.authorize_url(:oauth_callback => callback_url) | |
# wait for input | |
gets | |
access_token = request_token.get_access_token | |
Should now look like this: | |
request_token = consumer.get_request_token(:oauth_callback => callback_url) | |
puts "Please visit the following URL to authorize this application:" | |
puts request_token.authorize_url | |
# wait for input | |
gets | |
# `oauth_verifier` is extracted from the expanded callback URL or was displayed to the user | |
access_token = request_token.get_access_token(:oauth_verifier => oauth_verifier) | |
The changes to the spec are limited to the Request Token <=> Access Token exchange, so once you have an Access Token, everything should behave as it did before. For this reason, clients that only implement 2-legged OAuth are unaffected. | |
[Section 11.14. Cross-Site Request Forgery (CSRF)](http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html#anchor38) is also worth reading (and understanding) in order to further secure the use of callback URLs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment