Skip to main content

Posts

Showing posts from June, 2012

OAuth and Java

Some time ago I was looking for a Java OAuth library in order to help me to develop an OAuth aware server application. The natural place where to look for those information was the OAuth website that lists about 4 different Java libraries. The only one I am familiar with is Scribe . Indeed it is a really light, well documented and universally used library to build OAuth clients. It also contains out of the box integration for many well known websites that use OAuth (e.g. Facebook, Twitter, and many more). Unlikely though Scribe did/does not have any support for OAuth server side (that was my original problem). After a while a colleague of mine point me out an Apache project called Apache Amber and it turned out it was what I needed :) (Still wonder why Apache Amber is not listed in the OAuth website though). So the lesson learned is that if you are looking for a simple way to build your OAuth server do not hesitate to use Apache Amber. Here you can see how easy is to build the...

Facebook Logout, CSRF and OAuth 2

According to http://developers.facebook.com/docs/authentication/ in order to programmatically log the user out of Facebook from an OAuth 2 client (single sign-off) is enough to redirect the user to https://www.facebook.com/logout.php?     next=YOUR_REDIRECT_URL    &access_token=USER_ACCESS_TOKEN This would require a valid access token and a valid redirect url. Alternatively this can be achieved client side by calling FB.logout() . In practice though there is a third (obviously not documented) unofficial way to achieve the same. It is the case indeed that the standard log out form of Facebook suffer from CSRF. Indeed while posting to http://www. facebook .com/ logout .php the related form uses a field,  fb_dtsg , that is supposed to be an anti-CSRF token, however it is not verified properly/at all. Removing this field still resulted in successful logout ! According to Facebook (I have been in touch with them about this) this is not a sec...