hdknr’s posterous

 
Tags


Filed under

oauth

 
October 14, 2009

django-oauth : oauth_provider_consumer のフィールドサイズが小さい(場合がある)ようだ。

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ python manage.py shell
Python 2.5.2 (r252:60911, Jan 4 2009, 17:40:26)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from oauth_provider.models import Resource, Consumer
>>> C=('urx5MG8VAyGgqnHtOwhYQ','ds6H1xo8inXxmoV4x7k8Q8o7kxNVFbDeKQsUFjNVBs')
>>> consumer=Consumer(key=C[0],secret=C[1],name='www.yammer.com')
>>> consumer.save()
Traceback (most recent call last):
File "", line 1, in
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/base.py",
line 410, in save
self.save_base(force_insert=force_insert, force_update=force_update)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/base.py",
line 495, in save_base
result = manager._insert(values, return_id=update_pk)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/manager.py",
line 177, in _insert
return insert_query(self.model, values, **kwargs)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/query.py",
line 1087, in insert_query
return query.execute_sql(return_id)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/sql/subqueries.py",
line 320, in execute_sql
cursor = super(InsertQuery, self).execute_sql(None)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/models/sql/query.py",
line 2369, in execute_sql
cursor.execute(sql, params)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/backends/util.py",
line 19, in execute
return self.cursor.execute(sql, params)
File
"/home/hdknr/.ve/cmd/lib/python2.5/site-packages/django/db/backends/mysql/base.py",
line 84, in execute
return self.cursor.execute(query, args)
File "build/bdist.linux-i686/egg/MySQLdb/cursors.py", line 175, in execute
if not self._defer_warnings: self._warning_check()
File "build/bdist.linux-i686/egg/MySQLdb/cursors.py", line 89, in
_warning_check
warn(w[-1], self.Warning, 3)
File "/usr/lib/python2.5/warnings.py", line 62, in warn
globals)
File "/usr/lib/python2.5/warnings.py", line 102, in warn_explicit
raise message
Warning: Data truncated for column 'secret' at row 1

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ echo "select * from
oauth_provider_consumer" | mysql -u cheese --password=cheese cheese -t
+----+----------------+-------------+-----------------------+------------------+--------+---------+
| id | name | description | key | secret | status | user_id |
+----+----------------+-------------+-----------------------+------------------+--------+---------+
| 1 | www.yammer.com | | urx5MG8VAyGgqnHtOwhYQ | ds6H1xo9inXUmoV3 | 1 |
NULL |
| 2 | www.yammer.com | | urx5MG8VAyGgqnHtOwhYQ | ds6H1xo9inXUmoV3 | 1 |
NULL |
+----+----------------+-------------+-----------------------+------------------+--------+---------+
2回やったから。

(cmd)hdknr@deblen:~/.ve/cmd $ echo "desc oauth_provider_consumer" |
mysql -u cheese --password=cheese cheese -t
+-------------+--------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-------------+--------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(255) | NO | | NULL | |
| description | longtext | NO | | NULL | |
| key | varchar(256) | NO | | NULL | |
| secret | varchar(16) | NO | | NULL | |
| status | smallint(6) | NO | | NULL | |
| user_id | int(11) | YES | MUL | NULL | |
+-------------+--------------+------+-----+---------+----------------+

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ echo "drop table
oauth_provider_consumer" | mysql -u cheese --password=cheese cheese

(cmd)hdknr@deblen:~/.ve/cmd/lib/python2.5/site-packages/django_oauth-1.0-py2.5.egg/oauth_provider$
vi consts.py
SECRET_SIZE = 256

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ python manage.py syncdb
Creating table oauth_provider_consumer
Installing index for oauth_provider.Consumer model

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ python manage.py shell
Python 2.5.2 (r252:60911, Jan 4 2009, 17:40:26)
[GCC 4.3.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
>>> from oauth_provider.models import Resource, Consumer
>>> C=('urx5MG8VAyGgqnHtOwhYQ','ds6H1xo8inXxmoV4x7k8Q8o7kxNVFbDeKQsUFjNVBs')
>>> consumer=Consumer(key=C[0],secret=C[1],name='www.yammer.com')
>>> consumer.save()
>>>

(cmd)hdknr@deblen:~/.ve/cmd/src/cheese$ python manage.py dbshell
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 528
Server version: 5.0.51a-24+lenny2-log (Debian)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select * from oauth_provider_consumer
-> ;
+----+----------------+-------------+-----------------------+--------------------------------------------+--------+---------+
| id | name | description | key | secret | status | user_id |
+----+----------------+-------------+-----------------------+--------------------------------------------+--------+---------+
| 1 | www.yammer.com | | urx5MG8VAyGgqnHtOwhYQ |
ds6H1xo8inXxmoV4x7k8Q8o7kxNVFbDeKQsUFjNVBs | 1 | NULL |
+----+----------------+-------------+-----------------------+--------------------------------------------+--------+---------+
1 row in set (0.00 sec)

Filed under  //   Django   django-oauth   OAuth  

Comments [0]

October 14, 2009

Yammer API Documentation

Step 8.

Post a new message: 


    http.setURL('https://www.yammer.com/api/v1/messages')
    http.setHeaderField('Authorization', oauth_headers('BDzef0Gju2zIDQLnh33UKg','aewBdSXbnPtwywZISFxmoxgp3XN8lyn2HGV2DREZt7g', null))
    http.addParameter('body', 'test message')
    http.setMethod(POST)

When using PLAINTEXT signature method, the parameters you add to a POST do not affect the signature. This is not true when using HMAC-SHA1. PLAINTEXT is much easier to debug and since yammer uses https, it's safe to use PLAINTEX

via yammer.com

Yammerはhttpsを使っているのでPLAINTEXTを安全に使えるよ。
デバッグするならPLAINTEXTがだいぶ楽です。

Filed under  //   OAuth   PLAINTEXT   Yammer  

Comments [0]

September 26, 2009

OpenID: Now more powerful and easier to use! | OpenID

Plaxo is one of the earliest adopters of OpenID, allowing their users to sign into Plaxo using an OpenID enabled account with just a couple mouse clicks. Instead of requiring first-time Plaxo users to manually verify their email address by sending a verification email, Plaxo uses OpenID Attribute Exchange to verify Yahoo! and GMail email addresses without forcing users to wait at their mailbox for the verification email to arrive. Building on their successful experience with OpenID, Plaxo is experimenting with the Hybrid Protocol: A portion of new users who sign up for Plaxo using either a GMail or Yahoo account can now sign into Plaxo with their OpenID and authorize two-way data sharing of their Contacts and Activities via the Hybrid Protocol. You can read more about how this works on the Plaxo blog.
via openid.net

Filed under  //   AX   OAuth   OpendID  

Comments [0]

September 16, 2009

OAuth Authorization Header

7.1. Authorization Header Protocol parameters can be transmitted using the HTTP "Authorization" header as defined by [RFC2617] with the auth-scheme name set to "OAuth" (case-insensitive). For example: Authorization: OAuth realm="http://server.example.com/", oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0
via ietf.org

Filed under  //   OAuth  

Comments [0]

June 10, 2009

Hueniverse: Explaining the OAuth Session Fixation Attack

via hueniverse.com

Filed under  //   Fixation   OAuth   Security   Session  

Comments [0]

June 10, 2009

OAuthに脆弱性、TwitterやYahoo!がAPIを停止 - @IT

 今回発見された脆弱性は、次の通り。攻撃者はまず一般ユーザーとして当該サービスにログイン。続いてOAuthによる認可を行うが、通常の流れと異なるのは、リクエスト・トークンとして発行されたURIを保存し、これをターゲットとなるユーザーにクリックさせるようにし向けるところだ。何らかの理由でURIをクリックしたターゲットユーザーは、正規のサービスへリダイレクトされ、データアクセスの許可を求められる。ここでターゲットのユーザーがもしOKボタンを押してしまうと、攻撃者はリクエスト・トークンを使ってOAuthの認可のプロセスを完了できてしまうという。
via atmarkit.co.jp

Filed under  //   Fixation   OAuth   Security   Session  

Comments [0]

June 10, 2009

OAuthのセッション固定攻撃について(翻訳) - ものがたり

これらの3つのステップを結びつける唯一の要素は、承認URIとコールバックURIにおけるリクエストトークンだ。どちらについても、その呼び出しは署名されているものではなく、簡単に推測できるものだ。問題は、コンシューマに対してもプロバイダに対しても、これらの3つのステップが同一のユーザによって行われているという保証が無い、ということだ。アプリケーションは、クッキーや他のセッション管理ツールによって、最初のステップと最後のステップが同一のユーザによって行われていることを確認できるが、真ん中のステップが、最初または最後のステップと同一のものであるかどうかは確認できない。
via d.hatena.ne.jp

Filed under  //   Fixation   OAuth   Security   Session  

Comments [0]

June 10, 2009

OAuth Authorization Flow - YDN

via developer.yahoo.com

Filed under  //   OAuth  

Comments [0]

June 8, 2009

.Nat Zone : Relationship between OAuth and CX, and OAuth vulnerability by Nat - =nat

Summary

So, to summarize:

  1. OAuth and CX is almost identical in the protocol flow.
  2. OAuth requires manual step to establish the Consumer’s identifier called Consumer Key, while CX leverages on metadata including its identifier in XRD.
  3. OAuth does not require an identity framework such as OpenID while CX does.
  4. OAuth uses Token Secrets. In CX, there is no need of them.
  5. CX leverages on public key cryptography for security while OAuth depends on shared secret. In another words, in CX, there is no shared secret.
  6. Authorized Request Token (cx:ContractID) and Access Token (cx:Contract) is generated at different point in the sequence in OAuth, while it is generated simultaneously in CX.
  7. OAuth implicitly assumes that the User at the Consumer and the Service is the same guy and binds a local user at the Consumer to another local user at the Service Provider by Request Token, while CX does not and leverages on the User’s global Identifier to distinguish them.
  8. OAuth implicitly assumes that the User in the different point in the sequence is the same guy, while CX does not and leverages on the User’s global Identifier to distinguish them.
  9. In CX, the authorization fails if the identifier in the cx:Offer/cx:Contract does not match with the User’s Identifier
  10. CX is not vulnerable to the OAuth Fixation Attack, though on the surface, the protocol flow seems almost identical.
via sakimura.org

Filed under  //   =Nat   identity   OAuth  

Comments [0]

June 5, 2009

OAuth / OAuth for Payment flow

While this hasn't been done yet (as far as I know), I thought it would be worth documenting a flow that could well be accomplished with OAuth for executing payments. The example in this case is associating a Paypal account with an iTunes account. It's worth pointing out that iTunes is a desktop application and uses browser-based authentication to connect to Paypal.
via oauth.pbworks.com

Filed under  //   OAuth   Payment  

Comments [0]