Hi Ryan,
I hear you about the language support bro; hence why I was considering writing a port.
I have read that OAuth 1.0 is not as secure as OAuth 2.0.
I would say the opposite is true. OAuth 2.0 is LESS secure than OAuth 1.0. In 1.0, you effectively have two layers of encryption. When you build the token in 1.0, you encrypt the token itself as part of the process, then when you send it over SSL, you encrypt it again. With 2.0, you don’t encrypt the token at all, and rely exclusively on SSL to provide the encryption. As a server administrator, I can see why large companies would want this. Encryption requires CPU overhead to encrypt and decrypt. If you have two layers of encryption, you’re requiring double the amount of CPU to process a request. If you’re Facebook, Twitter, or Google, the OAuth 2.0 spec would be far more appealing because it requires half the amount of CPU to process the millions of requests you receive every minute. This results in to far less hardware, heat, and facilities required to serve the same number of visitors. That is almost certainly why the large companies involved in OAuth pushed for relaxed security in the 2.0 spec.
If you haven’t yet, I’d recommend reading this:
http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
“When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure.”
If nothing else, it’s some history that explains why things are the way they are with OAuth 2.0.
-Jordan----- Original Message -----
From: “Ryan Hinton” <@Ryan_Hinton>
To: lucee@googlegroups.com
Sent: Friday, June 12, 2015 6:25:38 AM
Subject: Re: [Lucee] OAuth 2.0 Provider
Thank you for your feedback, Jordan.
It’s slightly upsetting to see so many providers in what looks like almost
every language but ours. lol I will look into Harry Klein’s OAuth 1.0
version to see how much it would take to convert. I have a time constraint
on this, so it may not be doable, I hope it might be easy and quick enough
to do.
I have read that OAuth 1.0 is not as secure as OAuth 2.0. Is this really
true, especially if we are passing information via SSL? What would truly
be the downside of using the OAuth 1.0 version of Harry Klein’s versus
using OAuth 2.0?
Thank you for any feedback.
Ryan Hinton
On Thursday, June 11, 2015 at 6:58:49 PM UTC-4, Jordan Michaels wrote:
A while back when looking at oauth implementations for a project I
invested in, I briefly considered writing a CFML port of Apache OLTU (
https://oltu.apache.org/) to create an OAuth2 server. However, if you
look deeply at OAuth 2, there’s really very very little in the way of
specifics when it comes to actually implementing an OAuth 2 API. (And it’s
not just me who says this). If you look at specific OAuth2 services
available out there, they’re all pretty unique in their implementations.
OAuth2 is less of a specification, and more of a lose set of guidelines
IMHO.
Even though Harry Klein’s OAuth library was designed for Oauth 1.0, the
guidelines for OAuth 2 are so loose I believe it’s possible to create an
OAuth 2 compatible server using it as well:
http://oauth.riaforge.org/
Some interesting drama with regards to the OAuth 2 specification:
http://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/
For Oauth 2.0 clients, I found the Scribe project, written in Java, to be
pretty flexible:
GitHub - scribejava/scribejava: Simple OAuth library for Java
Again, I considered porting it to CFML, but I found that Joel Hill had
already started to create a port, so I teamed up with him and fleshed out a
fully realized Twitter API using scribe:
GitHub - joelhill/cfScribe: cfScribe is a ColdFusion oAuth library that works with fernandezpablo85 / scribe-java library
That was pretty fun to play with for a bit. =) I intended to create
Facebook and Google API’s using scribe as well, but I ran out of time
playing with the Twitter API, so the Google and Facebook implementations
have been moved to the “some day” folder…
Anyway… hope this helps.
-Jordan
----- Original Message -----
From: “Ryan Hinton” <ry...@hintonco.com <javascript:>>
To: lu...@googlegroups.com <javascript:>
Sent: Thursday, June 11, 2015 3:23:46 PM
Subject: [Lucee] OAuth 2.0 Provider
Hello,
This is a general inquiry for CFML Developers. I figured I would ask here
since this is one of the only main groups I know for CFML Developers. My
apologies if this might be too off topic.
Lately, I have been reading about OAuth 2.0 in an effort to create the
OAuth 2.0 Provider side. However, I am either not looking in the right
places on the internet or there simply not much out there for CFML
developers to implement the OAuth 2.0 Provider portion. Everything I am
finding related to OAuth 2.0 and CFML is designed for the Client side and
I
find one Provider in CFML written for OAuth 1.0 in RIAForge.
Would any of you happen to have or can refer to shareable code or
references to lead me in the right direction for creating the OAuth 2.0 to
implement as a Provider? Essentially, I need to create the OAuth server
for Clients to connect to us.
Thank you for any assistance!
Ryan Hinton
–
You received this message because you are subscribed to the Google Groups
“Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to lucee+un...@googlegroups.com <javascript:>.
To post to this group, send email to lu...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/lucee/5240e878-6298-4c72-b3d1-37ad686b0cf4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
You received this message because you are subscribed to the Google Groups “Lucee” group.
To unsubscribe from this group and stop receiving emails from it, send an email to lucee+unsubscribe@googlegroups.com.
To post to this group, send email to lucee@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/lucee/2b34bdd8-941c-47bb-b099-a086a540e14c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.