OAuth C# (very) Basic Library

I know it took me a while (sorry) but I had a couple things on my plate.

At first I wanted to release a more complete integration of OAuth within ASP.NET, but that will have to wait to the next time frame I can allocate to work on this.

In the meantime, there is some basic C# code in the OAuth code repository which generates the OAuth signature, which is the most complicated thing to implement in the spec (not that it’s that difficult to implement :-) It’s actually quite easy).

To use the C# code, simply do this (based on the samples in the spec):

using OAuth;

OAuthBase oauth = new OAuthBase();

Uri url = new Uri(“http://photos.example.net/photos?file=vacation.jpg&size=original”);

string signature = oauth.GenerateSignature(url, “dpf43f3p2l4k3l03”, “kd94hf93k423kf44”, “nnch734d00sl2jdk”, “pfkkdhi9sl3r4s00”, “GET”, oauth.GenerateTimeStamp(), oauth.GenerateNonce(), OAuthBase.SignatureTypes.HMACSHA1);

After that you can concatenate the relevant query parameters as well as the signature value to the URL and use it.

If you have a different timestamp and/or nonce generation method, you can inherit and override these methods.

If you require a different hashing algorithm other than the default HMAC-SHA1 or the PLAINTEXT (which MUST be used with a secure communication channel such as HTTPS) you can use the “GenerateSignatureBase” method to generate the signature base string and then call “GenerateSignatureUsingHash” passing the signature base and the hash algorithm you are using.

That’s about it. I’ll update when I’ll have some more integrative code.

OAuth Core 1.0 Final Draft – Implement it while it’s hot

After Chris blogged about it Eran Hammer-Lahav wrote a Beginner’s Guide to OAuth I have little to add.

I will add though that my C# library which I’m promising for quite some time will get out very soon :-) (Sorry for the delay, it’s been hectic around here).

OAuth 1.0 Public Draft – Another brick in the wall

Others have made such great explanations as to what OAuth is and what it does like Eran Hammer-Lahav’s post so I won’t repeat it.

I will say that OAuth should make the Internet a little bit safer by giving the technical means to remove the need of a certain service asking the user to give his/her username and password to access another service that that user is also using.

OAuth is to credentials delegation what OpenID is to authentication. An open standard for delegating a user’s credentials between services, the same way OpenID is an open standard for authentication.

It is important to note, however, that OAuth is not limited to be used with OpenID only. It CAN be used with ANY authentication scheme both open and proprietary.

After all, some of the main mantras of OAuth were that we don’t want to reinvent the wheel(s) and we want OAuth to play nicely with everyone.

I’m contributing to the working group of OAuth and we just released the first public draft for OAuth 1.0. Take a look, read the spec and share your thoughts and comments with us!

OAuth – another brick in the open standards wall of authentication, credentials delegations and ultimately identity.

OpenID Delegate Plugin for WordPress

Continuing my WordPress plugin frenzy and after release the MicroID WordPress plugin, I’m releasing another plugin, this time for OpenID delegation.

The plugin is named “OpenID Delegate” and you can read all the details and download it from here.

Q: So what’s this OpenID I’ve been hearing about?
A: According to OpenID.net:

OpenID is an open, decentralized, free framework for user-centric digital identity.

OpenID starts with the concept that anyone can identify themselves on the Internet the same way websites do-with a URI (also called a URL or web address). Since URIs are at the very core of Web architecture, they provide a solid foundation for user-centric identity.

What does it mean? Well, basically it means that if you have an OpenID account on an OpenID server and you are accessing an OpenID supported site (see the list of them here) you can use a special URI that your OpenID provider provides you and the password you have chosen to sign-up (and afterwards sign-in) to these sites.
That’s right. You’ll use the same URI and password to sign-in and up for all OpenID supported sites. This is also referred to in the enterprise (and the rest of the world) as Single Sign On or SSO for short.

Q: “So, what’s your OpenID Delegate plugin got to do with it?”
A: It’s quite simple. Assuming you run your own WordPress blog, wouldn’t it be cool to use your blog’s URL and the password provided by your OpenID provider as your URI of choice for signing in and up to OpenID supported sites? Yes it will!

Q: “But you could have just modified your theme and added the necessary meta tags…”

A: Yeap, I know could, but it’s much easier having it as a plugin, allowing me to replace themes without remembering that I’ve added these values to the head tag.

Q: “Where do I get an OpenID account?”

A: Well… you have a couple of ways. First, you might already have an OpenID account if you have an account at either WikiTravel, LiveJournal, DeadJournal, Zooomr, Technorati, etc (see the rest of the list here. Not all of these sites are OpenID providers though).
If you don’t have an account you can open a free one at myOpenID – a free OpenID provider.

The 3rd option you’ve got is to run your own server (not for the faint hearted).

It’s time to own your identity, but if you can’t really own it (i.e. run your own server) at least delegate it and make others think you do!