off-topic: I see you made a commit two hours ago but when I try to click on the commiter the link is not enabled, try this guide to set your name and github username so all your commits are linked to your github user account: https://help.github.com/articles/setting-your-username-in-gi...
The place I work for deals with about 20 different site's oauth processes and it's amazing how widely varied they are. Some of them let you restrict the redirect_uri while others don't, some of them still need you to send a login/password pair for the first request rather than do an oauth flow, but then still use oauth-style tokens all over the place. A couple of them require that the token be passed as a query string parameter instead of as a header for all requests. Being responsibly secure with all of them is quite difficult. It doesn't help that it's very difficult to have a development environment work properly with them, so doing active work against them is often painful.
OAuth is basically a complete mess, implementation-wise, and that's really sad since it's such a promising and useful premise.
That's really unfortunate. I read through the RFC, and IIRC it is pretty consistent on those details. Can't stop people from badly implementing a spec :(
i've heard great stuff about oauth.io . they try to provide an abstractionlayer that handles the various different implementations (often buggy or not to spec) of oauth.
15 comments
[ 6.2 ms ] story [ 38.6 ms ] threadbtw, linkedin has implemented a number of the counter measures listed in:
* static redirects
* checking that the redirect listed is the same for all calls.
* fast expiration of code.
OAuth is basically a complete mess, implementation-wise, and that's really sad since it's such a promising and useful premise.
[1]https://github.com/oauth-io/oauthd
And paranoid part of my brain suggests that using OAuth1.0a is still preferred even if over TLS