OAuth C# (very) Basic Library

I know it took me a while (sorry) but I had a couple things on my plate.

At first I wanted to release a more complete integration of OAuth within ASP.NET, but that will have to wait to the next time frame I can allocate to work on this.

In the meantime, there is some basic C# code in the OAuth code repository which generates the OAuth signature, which is the most complicated thing to implement in the spec (not that it’s that difficult to implement :-) It’s actually quite easy).

To use the C# code, simply do this (based on the samples in the spec):

using OAuth;

OAuthBase oauth = new OAuthBase();

Uri url = new Uri(“http://photos.example.net/photos?file=vacation.jpg&size=original”);

string signature = oauth.GenerateSignature(url, “dpf43f3p2l4k3l03”, “kd94hf93k423kf44”, “nnch734d00sl2jdk”, “pfkkdhi9sl3r4s00”, “GET”, oauth.GenerateTimeStamp(), oauth.GenerateNonce(), OAuthBase.SignatureTypes.HMACSHA1);

After that you can concatenate the relevant query parameters as well as the signature value to the URL and use it.

If you have a different timestamp and/or nonce generation method, you can inherit and override these methods.

If you require a different hashing algorithm other than the default HMAC-SHA1 or the PLAINTEXT (which MUST be used with a secure communication channel such as HTTPS) you can use the “GenerateSignatureBase” method to generate the signature base string and then call “GenerateSignatureUsingHash” passing the signature base and the hash algorithm you are using.

That’s about it. I’ll update when I’ll have some more integrative code.

OAuth Core 1.0 Final Draft – Implement it while it’s hot

After Chris blogged about it Eran Hammer-Lahav wrote a Beginner’s Guide to OAuth I have little to add.

I will add though that my C# library which I’m promising for quite some time will get out very soon :-) (Sorry for the delay, it’s been hectic around here).

OAuth 1.0 Public Draft – Another brick in the wall

Others have made such great explanations as to what OAuth is and what it does like Eran Hammer-Lahav’s post so I won’t repeat it.

I will say that OAuth should make the Internet a little bit safer by giving the technical means to remove the need of a certain service asking the user to give his/her username and password to access another service that that user is also using.

OAuth is to credentials delegation what OpenID is to authentication. An open standard for delegating a user’s credentials between services, the same way OpenID is an open standard for authentication.

It is important to note, however, that OAuth is not limited to be used with OpenID only. It CAN be used with ANY authentication scheme both open and proprietary.

After all, some of the main mantras of OAuth were that we don’t want to reinvent the wheel(s) and we want OAuth to play nicely with everyone.

I’m contributing to the working group of OAuth and we just released the first public draft for OAuth 1.0. Take a look, read the spec and share your thoughts and comments with us!

OAuth – another brick in the open standards wall of authentication, credentials delegations and ultimately identity.

Ubuntu Feisty Fawn (7.04), VmWare Server and Authentication problems

If you are going to install VmWare server (a great and free server virtualization product from VmWare) on Ubuntu Feisty Fawn (7.04) and you’ve followed this post showing how to do it using Canonical’s commercial repository, make sure to read this post at the Ubuntu Community Docs.

Basically, if you encounter authentication problems at the Server’s Console after installing the VmWare server and until this bug is fixed, you need to edit /etc/pam.d/vmware-authd to contain:

auth required pam_unix_auth.so shadow nullok
account required pam_unix_acct.so

Afterwards, restart the VmWare service and try to authenticate using the server’s console again.

I’m just being the Good SEO Samaritan and bumping this article’s SEO so everyone will see it first (instead of it being buried down somewhere and the search results) :-) .

Own your authentication!

After Passport Windows Live ID and the Liberty Alliance Project now comes Google Account Authentication, which opens up the ability to use anyone’s Google Account to perform authentication to a system.

What surprises me in this whole deal is that it seems we are going backwards, back to a “one authentication to rule them all” idea that Microsoft tried to introduce with Passport (errr) Windows Live ID which, as you know, didn’t go quite where they wanted it to be.

After the whole Web 2.0 buzz and “User Generated Content”, A.K.A the forbidden word, where users are now the masters of their own content, why can’t they be the masters of their own identity/authentication?


I’ve lately been tracking the OpenID initiative which tries to create a REAL distributed identity system which actually fits into the Web 2.0 world.
While OpenID’s spec is still a bit rough on the edges (the loop for verifying which authentication servers are authorized, live and not spoofed is not closed) it does seem to provide the right think in the right direction.

The benefits of owning your own identity

Owning your own identity has a number of interesting affects.

The first and foremost is that it is yours and you can store it wherever YOU think is save and good for you. This can be a server you own/rent. This can be a general repository, but one that you want to use and not one being forced down your throat (the centralized authorities that are usually controlled by large software corporations).

The second effect is that your identity is persistent. Since you control where it is stored and how it looks (according to the OpenID specs, of course) it is persistent across services (providing they support OpenID) and across identity providers (remember, you choose where to store your identity).

Hoping for a better authentication future

I would really like to see (perhaps I can even contribute) OpenID’s spec closing the loop on authenticating OpenID servers (or at least preparing a procedure for that) and starting to get adopted more rapidly across sites cause I’m really tired of having multiple identities just because various sites don’t talk to each other.

Even if the big player – Windows Live ID, Liberty Alliance Project and Google Account Authentication would support the OpenID specification, the wold of authentication would get a step closer to actually becoming useful.

Some more interesting speculation about Google’s future plans

I’ve just stumbled upon this, which seems to contain some very interesting speculations as to Google’s future plans.

They all strengthen my point about in my previous post that Gmail IDs are a Passport like system for authentication and they will be used throughout current and future services. They are already being used in most of Google’s personalization sites.

Another thing the link I started with talks about is the fact that Google Talk is also more about managing your contacts and you can see that the integration with Gmail and its Contacts into Google Talk also adds to the fact they it is heading to a more centralized authentication system.

I will not be surprised if they will join Project Liberty, or even worse, start their own initiative.

I don’t mind having a single authentication system but I don’t want it centralized in one place. I would rather have it decentralized like the DNS system or like Jabber and the XMPP specs are. Heck, even the fact that Linux is not controlled by a single vendor is one of the things that make it very compelling to a lot of organizations and people. The fact that you can switch between two distributions is very important to businesses as well as the fact that it generates a positive competition conditions that are all good for the customer.

Don’t forget that one of the few things that killed Microsoft’s Passport true vision and Microsoft’s Hailstorm project was the fact that no one wants to have all of its information stored in one vendor’s system and if Google are indeed going in that direction they will stumble upon the same issues that killed Microsoft’s projects.