Oauth in Livecode?

Andre Garzia andre at andregarzia.com
Mon May 5 20:41:07 EDT 2014


Howard,

As far as I can tell this article is a complete FUD.

What it is saying is that someone could use the redirect URL part of the
OAuth 2.0 cycle to redirect you to some place else. This is the same thing
as opening any phishing site. If you open a website, click for example
"Login with Facebook" and click OK for all the permission requests, you're
giving away that information to the site. There is no real limit to what it
can do with that info.

If the "Login with Facebook" (or any other OAuth 2.0 button) has been
tampered or fiddled with by someone with bad intentions so that it
redirects to some evil site and steal if your info this is not a flaw in
OAuth 2.0, this is how the web works. The thing is that people will give
their access to their personal information freely without thinking about
the consequences. Next time some site is asking for access to all your
profile information, plus your friends, plus your contacts, plus
everything, you should think why does this site needs this information?!
People often just click "Allow" without thinking.

This was all solved by Mozilla with Persona Login system that shared no
information besides attesting that someone was really someone.
Unfortunately and probably because it would not allow profile information
to go thru and was minimal and federated, it never saw strong adoption to
the point where its on community maintenance mode. I still use it everyday
to log into Mozilla properties such as our Bugzilla.

Cheers


On Mon, May 5, 2014 at 8:49 PM, Howard Bornstein <bornstein at designeq.com>wrote:

> And of course, there's this:
>
>
> http://lifehacker.com/security-flaw-found-in-oauth-and-openid-heres-what-it-1570872265
>
>
> On Mon, May 5, 2014 at 2:00 PM, Dar Scott <dsc at swcp.com> wrote:
>
> > I’ve created an OAuth 1 in the past for Evernote all in LiveCode plus the
> > favorite browser.  So, it can be done, but I won’t say it is not hard.
> >
> > I did run into some OAuth 2 problems with a kiosk that connected to
> > ConstantContact and used an alternate security.  Those problems were
> > related to the kiosk environment and the management console.  In that
> one,
> > I ended up using an alternative scheme.
> >
> > Dar Scott
> > Controls, Libraries and Externals
> >
> >
> >
> >
> > On May 5, 2014, at 9:21 AM, Andre Garzia <andre at andregarzia.com> wrote:
> >
> > > OAuth 1.0 and 1.0a sucks! Horrible specs and hard to implement. On the
> > > other hand OAuth 2.0 is quite easy to implement. I've did that for
> > Facebook
> > > Lib. Does the API you need has an OAuth 2.0 endpoint?
> > >
> > >
> > > On Mon, May 5, 2014 at 9:36 AM, Monk in Exile <david.bovill at gmail.com
> > >wrote:
> > >
> > >> Any updates on this - I've got a bunch of stuff that needs oAuth in
> > various
> > >> flavours.
> > >>
> > >>
> > >> On 1 February 2014 04:36, Phil Davis <revdev at pdslabs.net> wrote:
> > >>
> > >>> Hi Geoff,
> > >>>
> > >>> I'm currently working on a Vimeo code lib that includes Vimeo's OAuth
> > >> 1.0a
> > >>> implementation to the extent it's needed for logging in and using
> parts
> > >> of
> > >>> their Advanced API. ( https://developer.vimeo.com/apis/advanced )
> > >>>
> > >>> I know Andre had hopes of creating a more generalized OAuth lib in
> the
> > >>> past, but I don't know if he plans to finish it. That's everything I
> > know
> > >>> about the subject.
> > >>>
> > >>> Phil Davis
> > >>>
> > >>>
> > >>>
> > >>> On 1/31/14, 7:14 PM, Geoff Canyon wrote:
> > >>>
> > >>>> I see references online to various efforts toward this, but I don't
> > >>>> see any actual working code. Am I missing it?
> > >>>>
> > >>>> _______________________________________________
> > >>>> use-livecode mailing list
> > >>>> use-livecode at lists.runrev.com
> > >>>> Please visit this url to subscribe, unsubscribe and manage your
> > >>>> subscription preferences:
> > >>>> http://lists.runrev.com/mailman/listinfo/use-livecode
> > >>>>
> > >>>>
> > >>> --
> > >>> Phil Davis
> > >>>
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> use-livecode mailing list
> > >>> use-livecode at lists.runrev.com
> > >>> Please visit this url to subscribe, unsubscribe and manage your
> > >>> subscription preferences:
> > >>> http://lists.runrev.com/mailman/listinfo/use-livecode
> > >>>
> > >> _______________________________________________
> > >> use-livecode mailing list
> > >> use-livecode at lists.runrev.com
> > >> Please visit this url to subscribe, unsubscribe and manage your
> > >> subscription preferences:
> > >> http://lists.runrev.com/mailman/listinfo/use-livecode
> > >>
> > >
> > >
> > >
> > > --
> > > http://www.andregarzia.com -- All We Do Is Code.
> > > http://fon.nu -- minimalist url shortening service.
> > > _______________________________________________
> > > use-livecode mailing list
> > > use-livecode at lists.runrev.com
> > > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> >
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
>
>
>
> --
> Regards,
>
> Howard Bornstein
> -----------------------
> www.designeq.com
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
http://www.andregarzia.com -- All We Do Is Code.
http://fon.nu -- minimalist url shortening service.



More information about the Use-livecode mailing list