In the last days I had a closer look at the oauth rails plugin which requires some methods from the restful_authentification module. As the obs frontend doesn’t use this module we need to provide our own implementations of these methods. Fortunately it only uses a handful of methods (like authorized?, login_required, logged_in?, current_user etc.) so it shouldn’t be too hard to get it working without the restful_authentication module.
Another thing on my todo list was to look for possible workarounds for the session fixation attack. According to this thread it’ll be fixed in a new revision of the oauth spec. So after the user grants access to a specific application the oauth provider redirects the user to a callback url (if it’s specified by the consumer). Additionally it adds a parameter to this url (called oauth_verifier) which has an unpredictable value – so an attacker has no chance to “take over the session” (this is just a short summary – for more details have a look at the spec).
Last but not least I finished the test application and played around with it.
- start integrating oauth into the frontend
- play around with the python library
Btw. my mentor pointed me to an interesting railscast about authlogic – it gives a great overview about this module.
Both comments and pings are currently closed.