Comments on: OAuth Beginning to Rock the World http://www.diversity.net.nz/oauth-beginning-to-rock-the-world/2009/10/21/ Commentary and Analysis for User-Centered Technology Fri, 10 Feb 2012 03:02:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: wasabhi http://www.diversity.net.nz/oauth-beginning-to-rock-the-world/2009/10/21/comment-page-1/#comment-42998 wasabhi Fri, 23 Oct 2009 10:02:59 +0000 http://www.cloudave.com/link/oauth-beginning-to-rock-the-world#comment-42998 Owen thanks for your prompt response. I'm really impressed to see that you're actively engaged and listening to constructive feedback given to the developer preview release. My point of view is based on frustrations caused by working with your current implementation ... looking forward to seeing the introduction of structures that are clearly defined in the current oauth spec - in the interests of both user security and user experience. I have made suggestions in the uservoice forum to specify a root callback domain during the creation of consumer credentials - subsequently all callback URLs specified during each authentication event need to originate from subdomains of this root domain. The use case here is of course for consumers originating from multi-tennant architectures where callback URLs vary. This could achieve a higher level of security whilst accommodating a use case that is likely to be more common in the future. For the record Owen - my comment was not questioning your motivation to provide the very best level of user security and privacy... Great to hear from you ... Wasabhi Owen thanks for your prompt response. I’m really impressed to see that you’re actively engaged and listening to constructive feedback given to the developer preview release. My point of view is based on frustrations caused by working with your current implementation … looking forward to seeing the introduction of structures that are clearly defined in the current oauth spec – in the interests of both user security and user experience. I have made suggestions in the uservoice forum to specify a root callback domain during the creation of consumer credentials – subsequently all callback URLs specified during each authentication event need to originate from subdomains of this root domain. The use case here is of course for consumers originating from multi-tennant architectures where callback URLs vary. This could achieve a higher level of security whilst accommodating a use case that is likely to be more common in the future. For the record Owen – my comment was not questioning your motivation to provide the very best level of user security and privacy…

Great to hear from you …
Wasabhi

]]> By: Owen Evans http://www.diversity.net.nz/oauth-beginning-to-rock-the-world/2009/10/21/comment-page-1/#comment-42911 Owen Evans Thu, 22 Oct 2009 21:52:46 +0000 http://www.cloudave.com/link/oauth-beginning-to-rock-the-world#comment-42911 Hi Wasabhi, We're aware of the piece of the OAuth jigsaw missing from the Xero implementation at this time. As the lead developer on the project I can assure you that we had a few discussions as to if we would do the developer preview as we knew our primary response would be noticing the lack of permanent access tokens. First we want to assure that the permanent access via the API is coming, bus as I hope you can recognise we treat customer privacy as our number one concern so we wanted to make sure that adequate safeguards are in place before releasing such support. Also the lack of modifiable callback urls was an oversight and I have to admit that was just a mistake that we'll be rectifying soon. We do listen to uservoice and use that as a primary means of prioritising. OAuth is a great protocol and with an increase in use the libraries are going to only get better. OAuth is currently going through ratification at the Internet Engineering Task Force, which will make the protocol more an integral part of internet security. OAuth is still young so we thought it important to get the developer preview version of the API out so that people can get used to the workflow and security mechanisms behind OAuth. Many thanks Owen Evans Hi Wasabhi,
We’re aware of the piece of the OAuth jigsaw missing from the Xero implementation at this time. As the lead developer on the project I can assure you that we had a few discussions as to if we would do the developer preview as we knew our primary response would be noticing the lack of permanent access tokens.

First we want to assure that the permanent access via the API is coming, bus as I hope you can recognise we treat customer privacy as our number one concern so we wanted to make sure that adequate safeguards are in place before releasing such support.

Also the lack of modifiable callback urls was an oversight and I have to admit that was just a mistake that we’ll be rectifying soon.

We do listen to uservoice and use that as a primary means of prioritising.

OAuth is a great protocol and with an increase in use the libraries are going to only get better. OAuth is currently going through ratification at the Internet Engineering Task Force, which will make the protocol more an integral part of internet security.

OAuth is still young so we thought it important to get the developer preview version of the API out so that people can get used to the workflow and security mechanisms behind OAuth.

Many thanks
Owen Evans

]]> By: wasabhi http://www.diversity.net.nz/oauth-beginning-to-rock-the-world/2009/10/21/comment-page-1/#comment-42720 wasabhi Wed, 21 Oct 2009 18:45:25 +0000 http://www.cloudave.com/link/oauth-beginning-to-rock-the-world#comment-42720 Indeed it is a very clean and tight protocol for authentication workflow to establish delegated access. Xero's implementation however seems to be lacking on anunber of fronts. They don't make it easy for multi-tennant platform developers to build closed loop auth using a callback, and their 30 minute access token expiry creates a bizarre user experience. Hoping that Xero are listening to their "uservoice"! Indeed it is a very clean and tight protocol for authentication workflow to establish delegated access. Xero’s implementation however seems to be lacking on anunber of fronts. They don’t make it easy for multi-tennant platform developers to build closed loop auth using a callback, and their 30 minute access token expiry creates a bizarre user experience. Hoping that Xero are listening to their “uservoice”!

]]>