IETF Logo Mail Archive

Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a

Ethan Jewett <esjewett@gmail.com> Fri, 19 March 2010 21:16 UTC

Return-Path: <esjewett@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BAA263A67A4 for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 14:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.785
X-Spam-Level:
X-Spam-Status: No, score=-1.785 tagged_above=-999 required=5 tests=[AWL=-0.316, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMIpBraN-xSP for <oauth@core3.amsl.com>; Fri, 19 Mar 2010 14:16:07 -0700 (PDT)
Received: from mail-px0-f176.google.com (mail-px0-f176.google.com [209.85.216.176]) by core3.amsl.com (Postfix) with ESMTP id 1ABB03A6405 for <oauth@ietf.org>; Fri, 19 Mar 2010 14:16:07 -0700 (PDT)
Received: by pxi6 with SMTP id 6so2506477pxi.18 for <oauth@ietf.org>; Fri, 19 Mar 2010 14:16:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=G1YMQzfDamG5WXF9jRpP6myfvZWD94u0p9VOB6Gtn5Y=; b=iaLBSh+YLEtCpDG6bff8V/aIMiGi/6ewO7X0Gf/eQv2QQ0GbqjOsRPs9CRKevCo/ky 7+ZDaFL+zlL07Bjwa0zbZMRQRVtCkNRhJXATFN5+5imx1DdwnC15A9tPeJftNg2bHb7p 2zdlb3o3KUvMOz3IIYAd4ywq5/tpCCDDi2NlQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=w6Ne+IQ+eqCEh5e+9n29osXWqz8mltOPbHCrAoaEENWkBCJW1bqt2N0/ePWw6G5Tdt YoYWb18AW6ZZsppmt961k5jCPs3iLFKtEJcULjdfVGKzM2t5vUDu5lkPa6DK/NM91zc6 /K8kgR4RhmcSilGTpOis25D5DIdGR9tby75i4=
MIME-Version: 1.0
Received: by 10.141.105.16 with SMTP id h16mr2664786rvm.15.1269033379555; Fri, 19 Mar 2010 14:16:19 -0700 (PDT)
In-Reply-To: <daf5b9571003191144j74ea597cgf06ef3ba449cecef@mail.gmail.com>
References: <fd6741651003161112y2eceb494ue28db2644ba1d32a@mail.gmail.com> <68f4a0e81003191052m7ab778d6n330e58bd58b9f924@mail.gmail.com> <daf5b9571003191144j74ea597cgf06ef3ba449cecef@mail.gmail.com>
Date: Fri, 19 Mar 2010 17:16:19 -0400
Message-ID: <68f4a0e81003191416k70099a49o10fe5ba41bedfb83@mail.gmail.com>
From: Ethan Jewett <esjewett@gmail.com>
To: Brian Eaton <beaton@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Understanding how OpenSocial uses OAuth 1.0a
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Mar 2010 21:16:07 -0000

Accidentally sent the following directly to Brian instead of the list.
I'll try again ....

On Fri, Mar 19, 2010 at 2:44 PM, Brian Eaton <beaton@google.com> wrote:
> Plaintext doesn't work in this context, because it sends long-lived
> secrets in clear-text to servers that are under the control of the
> application author, or, in the case of gadgets, everyone viewing the
> gadget.

That's not what I read. In the OpenSocial case the gadget does not
hold the secret as that would be insecure in the manner you describe.
The container holds the secret. The gadget only tells the container
what signing method to use, not what secret to use. How the container
manages to get the secret or keep track of which secret works with
which provider is a mystery to me.

There is not need to send the secret in the clear. OAuth 1.0a says
that the PLAINTEXT method should be used only over a secure channel.

Ethan

v2.23.0 | Report a Bug | By Email