Notices tagged with oauth
-
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Wednesday, 05-May-2021 01:59:15 UTC ![Nobody [LinuxWalt (@lnxw48a1)]](https://nu.federati.net/avatar/2-48-20170112021558.png)
Nobody [LinuxWalt (@lnxw48a1)]
I see an update for #AndStatus. Yuri, have you been keeping track of the changes in #GNUsocial ? Are you ready to support the new API (and updated #OAuth) on upgraded instances? -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Friday, 23-Oct-2020 17:39:52 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@mangeurdenuage Something else to share with @x@neckbeard.xyz ...
It is possible that #Discord uses #OAuth. In that case, there should be something in account settings that lists the clients the person has authorized. De-authorizing clients could stop the problem if a client is automatically waking up and logging in (or if it is controlled by a malicious actor that is surreptitiously logging in to collect data). Naturally, this assumes that there are Discord clients and that the person has used at least one. Not being a user of their chat, I cannot tell you whether they even allow clients besides a browser.
In any case, the person should change their password using a password manager to generate and store the new randomish password. It should be as long as the service allows (and never fewer than 16 characters). -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Sunday, 04-Oct-2020 06:04:30 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@mangeurdenuage It was more than one person that left the #OAuth 2.0 project, claiming the design was too complex to be reliably secure. Implementing it was notoriously difficult to get right. But now, we rely on premade libraries that we assume to be "secure enough". -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Tuesday, 14-Apr-2020 15:44:54 UTC
Nobody [LinuxWalt (@lnxw48a1)]
#Mustard is old and unmaintained, but it works with GS #OAuth and I have it on my phone. For a few years now, posting has not worked (error message said “unauthorized”), so I’ve used #AndStatus to post (despite its own issues). I don’t know if the server migration or the version bump fixed things, but I’m glad that I can now use Mustard for posting again. -
N-5-O-body (n5admin@n5.federati.net)'s status on Thursday, 09-Jan-2020 18:12:00 UTC 
N-5-O-body
@clacke It's been a few years since I looked, but #OAuth 2.0 was known to be insecure almost from the time it was finalized, and known to be too difficult for most implementers to get correct before then.
If 2.1 simplifies the protocol and makes it more secure, that's a big plus. -
André E. Veltstra (aeveltstra@mastodon.social)'s status on Tuesday, 29-Jan-2019 22:52:56 UTC 
André E. Veltstra
2 Years ago when I first had to implement #OAuth into a #java-based #APIClient, I knew little about OAuth. So I searched for and found a library. It is named #ScribeJava.
And I learned that the #APIServer with which I communicated had implemented OAuth wrong, causing me to override half of what ScribeJava could do out of the box. Grrr.
The other week I implemented the simple client-necessary request for an #OAuth2 #BearerToken, specific to a different APIServer. Half an hour: it works! -
Strypey (strypey@mastodon.nzoss.nz)'s status on Friday, 16-Nov-2018 03:28:47 UTC 
Strypey
@js ah, ok. Thanks for the clarification. I wonder if Drew if planning to use #OAuth is sr.ht though? He seems to be opposed to using any of the protocols used in #ActivityPub for federating code forges, even though he seems to have no alternative to OAuth, #WebFinger for @mentions etc. My take is that sr.ht and #ForgeFed are addressing different aspects of the problem, and I've been trying to convince them to join forces. It's an uphill struggle so far ;)
-
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Tuesday, 04-Sep-2018 20:08:37 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@wakest Apps should see/store nothing related to your password. #OAuth replaces storing username/password with long, random, opaque codes that grant that one app limited access. -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Saturday, 11-Aug-2018 09:58:39 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@notclacke @dwmatiz There's an #OAuth bug in #GNU_Social (introduced in the last 2-3 years) that make #Mustard "unauthorized" to post. Since #AndStatus only connects by username password, it isn't affected. That's the primary reason I use AS. I should conect Mustard by username / password and use it as my main client again. Faster, more responsive, shows posts that AS never does. -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Sunday, 29-Jul-2018 12:26:19 UTC
Nobody [LinuxWalt (@lnxw48a1)]
I remember when a site called "Write To My Blog" provided a better rich-text editor for creating blog posts. The bad thing is that it was before #OpenID and #OAuth got popular, so you had to enter your full login credentials to post. That site (writetomyblog\.com) is gone. The current occupant of that domain is probably not what you'd expect. -
Ed Summers (edsu@social.coop)'s status on Sunday, 08-Jul-2018 13:30:05 UTC 
Ed Summers
Bookmark: [toread] OAuth for the Open Web • Aaron Parecki https://aaronparecki.com/2018/07/07/7/oauth-for-the-open-web #oauth #identity #protocol #web
-
☠️ Grumpy Oldman (grmpyoldman@quitter.se)'s status on Thursday, 12-Apr-2018 12:08:40 UTC 
☠️ Grumpy Oldman
Nachdem sich ja alle über das deutsche Projekt #Verimi mit #OAuth aufregen… nehmt doch #WebAuthN aus den USA https://is.gd/ikEMZb -
jjg (jjg@social.coop)'s status on Monday, 22-Jan-2018 15:49:01 UTC 
jjg
Working on a more thought-out post on this but I thought I'd get some feedback before diving too deep.
How about an Identity #coop ? A simple but solid #oauth identity provider that also advocates for it's inclusion as an idp to the services used by its members.
Convenience of single sign-on with the smallest possible security risk surface area and, being a co-op, members (users) decide what data is collected, shared, etc.
I have more but I'll stop here for now :)
-
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Tuesday, 25-Jul-2017 20:12:40 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@stitchxd @hikerus Theoretically (since that isn't the way you implemented it) XMPP could use #OpenID or #OAuth to log in using account info from GS. I'm not even sure any #XMPP servers implement this yet, but it would help with similar integrations. -
Nicole (funbreaker@mstdn.io)'s status on Monday, 03-Jul-2017 15:56:42 UTC 
Nicole
why are you being like this, #thunderbird ? You were okay with #OAuth yesterday
-
Danyl Strype (strypey@quitter.se)'s status on Tuesday, 06-Jun-2017 11:23:36 UTC 
Danyl Strype
@bob the ideal solution would be some kind of federated identity system, like #OpenID or #OAuth but fully independent and more secure? -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Wednesday, 17-May-2017 02:03:24 UTC
Nobody [LinuxWalt (@lnxw48a1)]
#Thunderbird upgraded to latest, which promptly forgot my password. Why aren't we using #OAuth for setting up clients anyway? -
Danyl Strype (strypey@quitter.se)'s status on Monday, 01-May-2017 04:32:12 UTC
Danyl Strype
@deadsuperhero @cwebber Each app could have a plug-in for #OpenID, one for #BrowserID, one for #OAuth, one for #Zot, one for #AP -
Nobody [LinuxWalt (@lnxw48a1)] (lnxw48a1@nu.federati.net)'s status on Monday, 01-May-2017 01:19:41 UTC
Nobody [LinuxWalt (@lnxw48a1)]
@strypey If you can choose your own decentralized #OAuth provider, that might not be a bad thing. -
MMN-o ✅⃠ (mmn@social.umeahackerspace.se)'s status on Tuesday, 18-Apr-2017 20:55:51 UTC 
MMN-o ✅⃠
@HerraBRE #Mastodon works with !GNUsocial as it is pretty well. There were some issues that @gargron raised with me, some of which I believe I fixed and some that I couldn't really figure out (some profile avatar update thing for example?)
Regarding RFC7033 (#WebFinger) it - since standardisation - only _requires_ a JRD (application/jrd+json). application/xrd+xml is just a bonus from !GNUsocial (voluntary according to spec).
The host-meta XRD is XML that because it was standardised before people who reinvent everything (JSON fanpeeps) started developing standards: https://tools.ietf.org/html/rfc6415
But since JRD and XRD are easily translatable between each other it doesn't really matter. And while #Mastodon doesn't use it, the /.well-known/host-meta endpoint is good for discovery unrelated to profiles, such as #OAuth endpoints etc. (so clients can auto-configure them).
All Federati Nu: Federated N-series GNU Social content and data are available under the