Implementing Python-OAuth2

Mark Hammond skippy.hammond at gmail.com
Tue Oct 11 21:06:59 EDT 2011 

On 11/10/2011 7:16 PM, Kayode Odeyemi wrote:
> On Thu, Oct 6, 2011 at 5:15 PM, Jeff Gaynor <jgaynor at ncsa.illinois.edu
> <mailto:jgaynor at ncsa.illinois.edu>> wrote:
>
>     On 10/06/2011 08:34 AM, Kayode Odeyemi wrote:
>
>         Hello friends,
>
>         I'm working on a pretty large application that I will like to
>         use oauth2 on as an authentication and authorization mechanism.
>
>         I understand fairly the technology and I have written my own
>         implementation before I stumbled on python-oauth2.
>
>         I need advise on leveraging python-oauth2 api for creating
>         consumer key, creating consumer secret, access token and token
>         secret.
>
>     This works well, but be advised that the original python oauth
>     library had some serious issues, so was redone as python-oauth2.
>     What is confusing is that it refers to OAuth version 1.0a, not the
>     upcoming OAuth version 2.0, so make sure you read the right spec
>     before using it, since they are very different indeed.
>
>     There are *no* usable OAuth version 2..0 implementation in any
>     language (usually Java comes first) that I know of, so you will get
>     to role your own, which is hard. There are a few beta-level versions
>     E.g. Twitter) but these are special cased to the author's needs. The
>     spec itself is not quite ready either and since it has changed quite
>     substantially in the last year, I suspect that everyone is waiting
>     to see it settle to a steady state.
>
> Jeff, I'm in the middle of a big confusion here and will need your help.
>
> I will like to know, can the request be signed just once and for all
> subsequent request made, I can use the stored nonce, signature method
> and token? My kind of setup is such that, I want the client app to be
> registered once, such that for every request to a resource, as long as
> the required parameters are available in the header (which would have
> been gotten at the initial request), access is granted.
>
> Is this a correct interpretation of Oauth?

I believe every request must be resigned with a new nonce and new 
timestamp using the tokens it initially fetched during the auth step so 
"replay" attacks can be prevented.  It might be true that some server 
implementations don't check the timestamp or nonce, so it *might* work 
for some servers if the exact same request parameters are used, but such 
servers are simply insecure and broken.

Mark

More information about the Python-list mailing list