Setting Authorization Header of HttpClient

I have a HttpClient that I am using to use a REST API. However I am having trouble setting up the Authorization header. I need to set the header to the token I received from doing my OAuth request. I saw some code for .NET that suggests the following,

httpClient.DefaultRequestHeaders.Authorization = new Credential(OAuth.token);

However the Credential class does that not exist in WinRT. Anyone have any ideas how to set the Authorization header?

Do Facebook Oauth 2.0 Access Tokens Expire?

I am playing around with the Oauth 2.0 authorization in Facebook and was wondering if the access tokens Facebook passes out ever expire. If so, is there a way to request a long-life access token?

What's the difference between OpenID and OAuth?

I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?

How is OAuth 2 different from OAuth 1?

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1?

Is OAuth 1 obsolete now? Should be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it?

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token:

http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.2

Why have both? Why not just make the access_token last as long as the refresh_token and not have a refresh_token?

Creating an API for mobile applications - Authentication and Authorization

Overview

I'm looking to create a (REST) API for my application. The initial/primary purpose will be for consumption by mobile apps (iPhone, Android, Symbian, etc). I've been looking into different mechanisms for authentication and authorization for web-based APIs (by studying other implementations). I've got my head wrapped around most of the fundamental concepts but am still looking for guidance in a few areas. The last thing I want to do is reinvent the wheel, but I'm not finding any standard solutions that fits my criteria (however my criteria my be misguided so feel free to critique that as well). Additionally, I want the API to be the same for all platforms/applications consuming it.

oAuth

I'll go ahead and throw out my objection to oAuth since I know that will likely be the first solution offered. For mobile applications (or more specifically non-web applications), it just seems wrong to leave the application (to go to a web-browser) for the authentication. Additionally, there is no way (I am aware of) for the browser to return the callback to the application (especially cross-platform). I know a couple of apps that do that, but it just feels wrong and gives a break in the application UX.

Requirements

1. User enters username/password into application.
2. Every API call is identified by the calling application.
3. Overhead is kept to a minimum and the auth aspect is intuitive for developers.
4. The mechanism is secure for both the end user (their login credentials are not exposed) as well as the developer (their application credentials are not exposed).
5. If possible, not require https (by no means a hard requirement).

My Current Thoughts on Implementation

An external developer will request an API account. They will receive an apikey and apisecret. Every request will require at minimum three parameters.

• apikey - given to developer at regisration
• timestamp - doubles as a unique identifier for each message for a given apikey
• hash - a hash of the timestamp + the apisecret

The apikey is required to identify the application issuing the request. The timestamp acts similarly to the oauth_nonce and avoids/mitigates replay attacks. The hash ensures that request was actually issued from the owner of the given apikey.

For authenticated requests (ones done on the behalf of a user), I'm still undecided between going with an access_token route or a username and password hash combo. Either way, at some point a username/password combo will be required. So when it does, a hash of several pieces of information (apikey, apisecret, timestamp) + the password would be used. I'd love feedback on this aspect. FYI, they would have to hash the password first, since I don't store the passwords in my system without hashing.

Conclusion

FYI, this isn't a request for how to build/structure the API in general only how to handle the authentication and authorization from solely within an application.

Random Thoughts/Bonus Questions

For APIs that only require an apikey as part of the request, how do you prevent someone other than the apikey owner from being able to see the apikey (since sent in the clear) and make excessive requests to push them over usage limits? Maybe I'm just over thinking this, but shouldn't there be something to authenticate that a request was verified to the apikey owner? In my case, that was the purpose of the apisecret, it is never shown/transmitted without being hashed.

Speaking of hashes, what about md5 vs hmac-sha1? Does it really matter when all of the values are hashed with with sufficiently long data (ie. apisecret)?

I had been previously considering adding a per user/row salt to my users password hash. If I were to do that, how could the application be able to create a matching hash without knowing the salt used?

Security of REST authentication schemes

Background:

I'm designing the authentication scheme for a REST web service. This doesn't "really" need to be secure (it's more of a personal project) but I want to make it as secure as possible as an exercise/learning experience. I don't want to use SSL since I don't want the hassle and, mostly, the expense of setting it up.

These SO questions were especially useful to get me started:

• RESTful Authentication
• Best Practices for securing a REST API / web service
• Examples of the best SOAP/REST/RPC web APIs? And why do you like them? And what’s wrong with them?

I'm thinking of using a simplified version of Amazon S3's authentication (I like OAuth but it seems too complicated for my needs). I'm adding a randomly generated nonce, supplied by the server, to the request, to prevent replay attacks.

To get to the question:

Both S3 and OAuth rely on signing the request URL along with a few selected headers. Neither of them sign the request body for POST or PUT requests. Isn't this vulnerable to a man-in-the-middle attack, which keeps the url and headers and replaces the request body with any data the attacker wants?

It seems like I can guard against this by including a hash of the request body in the string that gets signed. Is this secure?

How to secure an ASP.NET Web API

I want to build a RESTful web service using ASP.NET Web API that third-party developers will use to access my application's data.

I've read quite a lot about OAuth and it seems to be the standard, but finding a good sample with documentation explaining how it works (and that actually does work!) seems to be incredibly difficult (especially for a newbie to OAuth).

Is there a sample that actually builds and works and shows how to implement this?

I've downloaded numerous samples:

• DotNetOAuth - documentation is hopeless from a newbie perspective
• Thinktecture - can't get it to build

I've also looked at blogs suggesting a simple token-based scheme (like this) - this seems like re-inventing the wheel but it does have the advantage of being conceptually fairly simple.

It seems there are many questions like this on SO but no good answers.

What is everybody doing in this space?

Twitter oAuth callbackUrl - localhost development

Is anyone else having a difficult time getting Twitters oAuth's callback URL to hit their localhost development environment. Apparently it has been disabled recently. http://code.google.com/p/twitter-api/issues/detail?id=534#c1

Does anyone have a workaround. I don't really want to stop my development

OAuth v2 communication between authentication and resource server

I'm having some troubles understanding how OAUTH-v2 works.

The OAuth version 2 spec reads:

1. Accessing Protected Resources

   The client accesses protected resources by presenting the access
   token to the resource server. The resource server MUST validate the
   access token and ensure it has not expired and that its scope covers
   the requested resource. The methods used by the resource server to
   validate the access token (as well as any error responses) are beyond the scope of this specification, but generally involve an interaction or coordination between the resource server and the authorization
   server.

How does this interaction between resource server and authorization server work in practice?

• How does the resource server determine that an access token it received is valid?
• How does the resource server extract the allowed scope from the token to see if access should be granted to a particular resource? Is the Scope encoded in the access token, or does the resource server first have to contact the authorization server?
• How is trust between the resource server and the authorization server established?

Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.

Can someone give examples for token attributes?

Make Android WebView not store cookies or passwords

I use an Android WebView for Twitter OAuth: Twitter asks the user to log in and authorize the application, I retrieve the access token and persist it in my application.

I have no need (and do not) store the user password, but the WebView keeps Twitter's cookies around, and it also asks the user if he wants it to remember the password. As a result of this, even after the de-authorizes the application via his Twitter account page, and my application destroys the access tokens, the next time the WebView is opened, it is probably still logged in, and even if not, it has the password box already filled.

How can I force WebView to not ask to remember passwords, and to not persist session cookies? If that is not possible, can I delete all its stored state (except maybe the image cache)?

Facebook Oauth Logout

I have an application that integrates with Facebook using Oauth 2.

I can authorize with FB and query their REST and Graph APIs perfectly well, but when I authorize an active browser session is created with FB. I can then log-out of my application just fine, but the session with FB persists, so if anyone else uses the browser they will see the previous users FB account (unless the previous user manually logs out of FB also).

The steps I take to authorize are:

1. Call [LINK: graph.facebook.com/oauth/authorize?client_id...]

This step opens a Facebook login/connect window if the user's browser doesn't already have an active FB session. Once they log-in to facebook they redirect to my site with a code I can exchange for an oauth token.

1. Call [LINK: graph.facebook.com/oauth/access_token?client_id..] with the code from (1)

Now I have an Oauth Token, and the user's browser is logged into my site, and into FB.

1. I call a bunch of APIs to do stuff: i.e. [LINK: graph.facebook.com/me?access_token=..]

Lets say my user wants to log out of my site. The FB terms and conditions demand that I perform Single Sign Off, so when the user logs out of my site, they also are logged out of Facebook. There are arguments that this is a bit daft, but I'm happy to comply if there is any way of actually achieving that.

I have seen suggestions that:

A. I use the Javascript API to logout: FB.Connect.logout(). Well I tried using that, but it didn't work, and I'm not sure exactly how it could, as I don't use the Javascript API in any way on my site. The session isn't maintained or created by the Javascript API so I'm not sure how it's supposed to expire it either.

B. Use [LINK: facebook.com/logout.php]. This was suggested by an admin in the Facebook forums some time ago. The example given related to the old way of getting FB sessions (non-oauth) so I don't think I can apply it in my case.

C. Use the old REST api expireSession or revokeAuthorization. I tried both of these and while they do expire the Oauth token they don't invalidate the session that the browser is currently using so it has no effect, the user is not logged out of Facebook.

I'm really at a bit of a loose end, the Facebook documentation is patchy, ambiguous and pretty poor. The support on the forums is non-existant, at the moment I can't even log in to the facebook forum, and aside from that, their own FB Connect integration doesn't even work on the forum itself. Doesn't inspire much confidence.

Ta for any help you can offer. Derek

ps. Had to change HTTPS to LINK, not enough karma to post links which is probably fair enough.

How to keep the OAuth consumer secret safe, and how to react when it's compromised?

This question is about trying to understand the security risks involved in implementing oauth on a mobile platform like Android. Assumption here is that we have an Android application that has the consumer key/secret embedded in the code.

Assuming a consumer secret has been compromised, and a hacker has gotten a hold of it, what are the consequences of this ?

Compromised Consumer Secret assumptions
Am I correct in stating that a compromised consumer secret as such has no effect on the user's security, or any data stored at the OAuth enabled provider that the user was interacting with. The data itself is not compromised and cannot be retrieved by the hacker.

The hacker would need to get a hold of a valid user access token, and that's a lot harder to get.

What could a hacker do with a compromised consumer secret ?
Am I also correct in stating the following :

• The hacker can setup/publish an application that imitates my app.
• The hacker can attract users that will go through the OAuth flow, retrieving an access token via the hackers OAuth dance (using the compromised consumer key/secret).
• The user might think he's dealing with my app, as he will see a familiar name (consumer key) during the authorization process.
• When a consumer issues a request via the hacker, the hacker can easily intercept the access token, and combined with the consumer secret can now sign requests on my behalf to gain access to my resources.

End-user impact
In the assumption that

• a hacker has setup an application / site using my consumer secret
• one of my users was tricked into authorizing access to that application / site

The following might happen :

• the end-user may being noticing that something fishy is going on, and inform the service provider (ex: Google) about the malicious app
• the service provider can then revoke the consumer key/secret

OAuth consumer (my application) impact :
My app (containing the consumer secret) would need to be updated, as otherwise all my clients would not be able to authorize my application do to requests on their behalf anymore (as my consumer secret would no longer be valid).

Delegating all OAuth traffic
Although it would be possible to delegate a lot of the OAuth interactions via an intermediate webserver (doing the OAuth dance and sending the access token to the user), one would have to proxy all service interactions also, as the consumer key/secret is required for signing each request. Is this the only way to keep the consumer key/secret outside of the mobile app, and stored in a more secure place on the intermediate webserver ?

Alternatives
Are there alternatives for this proxy-ing ? Is it possible to store the consumer secret at the intermediate webserver, and have some kind of mechanism that the Android application (published in the market and properly signed), can do a secure request to the intermediate webserver to fetch the consumer secret and store it internally in the app ? Can a mechanism be implemented that the intermediate webserver "knows" that this is an official android app that is requesting to fetch the consumer secret, and that the intermediate webserver will only handout the consumer secret to that particular android app ?

google oauth2 redirect_uri with several parameters

How to add a parameters to the google oauth2 redirect_uri?

Just like this redirect_uri=http://www.example.com/redirect.html?a=b.

The b of a=b is random.

Anyone can help ?

Facebook Access Token for Pages

I have a Facebook Page that I want to get some things from it. First thing are feeds and from what I read they are public (no need for access_token). But I want to also get the events... and they aren't public and need the access_token.

I don't want the user to login in Facebook or anything like that. I just want to push all the data I can from this only page. That's why I already discarded many examples I found here and the one at https://developers.facebook.com/blog/post/500/ , because they want the user to login or require some user action I'm not interessed.

What I want is that my Facebook Application have full authorization and access_token to push the data from this one Facebook Page that I own (admin). Is this possible? I already tried many things but nothing seems to work.

I tried clicking at this: https://www.facebook.com/dialog/oauth?client_id=150635421702954&redirect_uri=http://MY_URL/&scope=manage_pages&response_type=token&fields=access_token - changing MY_URL to my site's and it requests authorization to edit every page I own. Even not being what I want I clicked but had no access_token in return...

Could someone please help me?

Greatly appreciated, thank you :)