OAuth
De Mi caja de notas
This article is a stub. You can help the IndieWeb wiki by expanding it.
OAuth is an authorization protocol created to replace the need for client applications of a service (e.g. a silo) to ask for your username and password to the service in order to access the service on your behalf.
Silo Examples
These are only a few of the silos that support OAuth. Silos typically support OAuth as the authorization flow for their own proprietary APIs.
See FreeMyOAuth for a summary of popular silos that support OAuth, and quick links to see which apps you have authorized for each silo.
Github
Github supports OAuth and has potential for a very complicated permissions screen.
Example: Travis Cl asking for / changing OAuth permissions on Github
Map Me At
Map Me At had an interesting OAuth like permissions screen for use with the defunct Fire Eagle.
Twitter shows a list of applications that have been granted permission to your account, and provides some info about the type of access they have.
Tools
The OAuth Playground is an interactive tool that walks you through the various OAuth flows step by step.
Brainstorming
UI ideas
Twitter Mockup
- 2010-08-17 Ben Ward: Would this really be so bad? (AKA Checkboxes, bitches)
Troubleshooting
Twitter API
As of 2013-06-11 Twitter has switched to requiring v1.1 (or later?) of their API. v1.0 has been turned off. v1.1 is pickier about the way it handles OAuth. You may run into the following problems.
Error 0 before authorization prompt
If the authenticate request returns an error 0 before you even see the Twitter authorization prompt screen, and you are using the latest tmhOAuth.php, you may need to:
- make sure that you have the file "cacert.pem" in the same directory as your tmhOAuth.php.
Verify after authorization prompt does not work
For relmeauth.php in particular:
- If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it just bounces back automatically right back to the RelMeAuth sign-in screen (not signed-in).
- Then check out RelMeAuth branch tmh_june_2013_update and see if that fixes things.
After authorization prompt Error 401 Invalid request token
For relmeauth.php in particular when using tmhOAuth.php:
- If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it provides an Error 401 message and the $tmhOAuth->response['response'] is 'Invalid request token'
- Then: make absolutely sure you're using tmhOAuth.php version 0.8.2 or later. Double check this at the top of the tmhOAuth.php you're using on your server.
Verify after authorization prompt still does not work
For relmeauth.php in particular when using tmhOAuth.php:
- If after bouncing to the Twitter authorization prompt (where it says "Redirecting you back to the application...") it just bounces back automatically right back to the RelMeAuth sign-in screen (not signed-in).
- Then in "function verify", where it sets "$_SESSION['relmeauth']['name'] = $creds[ ", do a
var_dump($creds);
- If there's a message about the v1 API being no longer supported,
- Then: make sure you've updated your "config.php" file such that it has the line with /1.1/ :
That should fix the problem.
Criticism
- 2012-07-26 Eran Hammer: [1]
Books
- OAuth 2.0 Simplified by Aaron Parecki, Publisher: Okta, Inc.
- Published: August 2017
- Available online at oauth.com
Articles
- 2024-08-24 : OAuth from First Principles (archived):
I'll start off with an awfully flawed implementation that authorizes a user with a 3rd-party app, and then continuously attack it until we arrive at something that's secure, kind of.
See Also
- silos
- RelMeAuth
- relmeauth.php
- IndieAuth
- micropub
- FreeMyOAuth
- client ID
- https://zapier.com/learn/apis/chapter-5-authentication-part-2/