OAuth wins award at European Identity Conference

May 11, 2009 – 4:15 pm

Eve Maler accepts award on behalf of the OAuth community

Last week, on behalf of the OAuth community, Eve Maler accepted an award for Best new or improved standard at the European Identity Conference 2009 (EIC), in Munich:

The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity Governance Frameworks) and CARML, which enhances user-friendliness of these important standards for IAM and GRC. This particular innovation had been promoted and supported by Oracle. The standardization initiative OAuth (Open Authentication) receives an award for their streamlined approach for authentication standardization, which finds a lot of market interest. The last award in this category goes to the Information Card Foundation (ICF) for standardizing the important approach of Information Cards for future identity management.

As Eve happened to be at the conference, she received authorization on behalf of community to accept the award. We haven’t quite figured out what we’ll do with it (being that we’re a virtual, placeless entity!) but we appreciate being recognized all the same!

By Chris Messina | Posted in General | Tags: | Comments (1)

An update on the OAuth session fixation vulnerability

April 25, 2009 – 6:50 pm

While the merits of several solutions to the OAuth session fixation vulnerability are still being hashed out on the wiki, I wanted to share the latest episode of theSocialWeb.tv, captured yesterday on location at Google’s headquarters in Mountain View, providing some background and technical details about the problem, as told by Eran Hammer-Lahav, who has been coordinating the community’s response.

Marshall Kirkpatrick of ReadWriteWeb also has a great write-up of the timeline of events that lead to the discovery of the issue, shedding more light on how quickly the community mobilized to confront this threat.

By Chris Messina | Posted in security | Tags: , | Comments (1)

Acknowledgement of the OAuth security issue

April 22, 2009 – 3:20 pm

I wanted to acknowledge that we are aware of a security threat first reported on by CNET that affects the OAuth protocol.

There have been no known exploits so far and for the past several days the OAuth community has been coordinating a response with as many known providers as possible to help them understand the threat and deploy whatever mitigating factors they can.

We’d like to publicly show our appreciation for Twitter’s role in helping to minimize premature publicity of this threat, even at its own expense, taking the heat as if it was their own issue in order to allow other companies to address this threat.

We ask that people refrain from speculating about or publicly discussing the actual details of this or other threats before we have released an official statement this evening at midnight, PST on the OAuth website.

If you have any immediate concerns, please contact the vendors or Eran Hammer-Lahav directly at 408 596 1974 or eran@hueniverse.com (he is the community coordinator for this threat).

By Chris Messina | Posted in security | Comments (12)

TripIt announces API, secured with OAuth

January 26, 2009 – 5:12 pm

Travel itinerary and planning site TripIt announced the availability of their new developer API today with support for OAuth. TripIt developer Andy Denmark tweeted to confirm:

whooohooo, @tripit API lau ...

From their press release:

Online travel itinerary and trip planning service TripIt (www.tripit.com) today announced the availability of a new API (Application Programming Interface) for developers to create software applications that integrate with TripIt travel itineraries. The TripIt API is the travel industry’s first open API for sharing travel itinerary information between travel websites, travel suppliers, travel agents and related travel services. TripIt is an open travel platform that already supports bookings from more than 350 travel-related sites and works with partners including LinkedIn, Microsoft Windows Live and Sabre VirtuallyThere. With the new TripIt API, any developer can now build an application that integrates with TripIt, including the first ones from Expens’d, FlightTrack and Where I’ve Been. Developers can access the TripIt API at www.tripit.com/developer.

This first version of the TripIt API enables applications to read, add or delete trip plans in TripIt, while allowing TripIt travelers to control how applications access and use their data. More details at www.tripit.com/developer.

By Chris Messina | Posted in Adoption, Implementations | Tags: , | Leave a Comment

OAuth Ruby Gem 0.3 released

January 25, 2009 – 5:03 pm
Pelle reports that 0.3.1 of the gem has been released to fix a bug discovered by Michael Wood.

Pelle Braendgaard posted to the OAuth Ruby list today announcing the that the 0.3 version of the OAuth Ruby Gem has been released:

This is the community barn fixing release of the OAuth Gem. The primary purpose of this release is to fix all the little issues people have discovered while actually using OAuth in the real world.

A concerted effort has also been made to create much better testing of all the low level operations, such as encoding, normalization etc. There are much improved tests that follow the spec closely.

There is also a new oauth command line utility, which makes it easy to test oauth requests from your shell.

The official home page of the ruby library is:

http://oauth.rubyforge.org/

The main git repository is:

http://github.com/pelle/oauth/tree/master

Many people have been involved in this release, here are the primary contributors and the changelog:

  • Support ActionController::Request from Edge Rails (László Bácsi)
  • Correctly handle multi-valued parameters (Seth)
  • Added #normalized_parameters to OAuth::RequestProxy::Base (Pelle)
  • OAuth::Signature.sign and friends now yield the RequestProxy instead of the token when the passed block’s arity is 1. (Seth)
  • Token requests are made to the configured URL rather than generating a potentially incorrect one. (Kellan Elliott-McCrea)
  • Command-line app for generating signatures. (Seth)
  • Improved test-cases and compatibility for encoding issues. (Pelle)
By Chris Messina | Posted in Code, Development | Tags: , | Leave a Comment