The Current State of OAuth 2 View more presentations from Aaron Parecki A pretty good summary of the current state (as of June 2011) of OAuth 2. I wish I’d been able to see the talk or find a video online.
Tag Archives: oauth
Understanding the OAuth vulnerability
Last night’s OAuth Security Advisory 2009.1 was a little light on the details. The blog post wasn’t much better. I was peripherally involved in the OAuth spec development and I couldn’t work out what the advisory meant without a bunch of thinking and spec reading so I thought I’d try to explain it in simpler …
A Different Model For Web Services Authorization
In my last post I set out to describe how easy it is to extract private keys from desktop software. As I was concluding I stumbled on an alternative approach that might be more secure in some circumstances. I didn’t really go into details, so here’s an expansion of the idea. Current API authentication mechanisms …
Continue reading “A Different Model For Web Services Authorization”
No More Secrets
Using secret keys to identify applications communicating across the internet has become popular as people have copied the very successful Flickr authentication API. Unfortunately people trust that they can keep these keys secret from attackers, even as they distribute applications that contain the secret keys to other people. I decided to see how hard it …