Thursday, January 19, 2012

jsOAuth in the browser, my response to OAuth in web browsers

  • Developer:
  • We are on a look out for a Javascript OAuth library that works in browsers.
  • Rob Griffiths:
  • There are some things you need to consider when trying to get OAuth working in the browser using Javascript.
  • Firstly, Javascript source is viewable by anyone with the inclination to do so, this means that your OAuth Key and Secret are publicly accessible, meaning that an attacker could use your credentials to sign requests and gain access tokens, in theory at least. In my opinion the attacker would have to fool a user into thinking they were your site, which isn't too hard but users are stupid and can be fooled easily.
  • Secondly, if your site contacts a third party webservice, you'll be bound by in build browser security as you are making a cross domain request. The security disables any XHR from talking to a domain other than the one it was created on.
  • Unless you use CORS (cross origin resource sharing), however most web services dont support this, which is a shame as this would make the web a better place allowing sites to interact at the client level creating interesting application mashups.
  • So I'd ask this;
  • - Does the webservice you're planning to use support CORS?
  • - Do you have a plan to hide your secret in plain sight?
  • Most people solve these issue by building a server-side script to proxy their XHR.
Posted at 9:05 AM 45 notes Tags: jsOAuth javascript browser oauth
Wednesday, March 30, 2011

jsOAuth turns 1 in April

On April 2nd, jsOAuth, the javascript OAuth library, will finally have it’s first stable release, bringing the library out of perpetual beta and into the realms of the big boys.

jsOAuth works with Appcelerator Titanium, node.js, CommonJS, Samsung Smart Tv’s and many other platforms that use javascript.
One library and one API to use everywhere your app is designed to run.

With a stable API you’ll now be able to build applications without worry that API changes will break your code.

I’m committed to making a great library and getting to this stable release has been a long time in the making. The project started early November 2009, with renewed interest in late October 2010 and has had a couple of key contributions from Steffen Schröder, Max Ogden and several from Łukasz Korecki. All these people saw potential in jsOAuth’s simplicity and have helped shape javascript OAuth for the future.

What if you spot something is missing? Let me know and I’ll get it in and tested as quickly as I can.

https://github.com/bytespider/jsOAuth
Posted at 1:56 PM 10 notes Tags: javascript oauth