6

i have several questions...

  1. Does yahoo and microsoft api support oAuth 2.0?
  2. If yes then what are the main security measures those should be taken care of while shifting from oAuth 1.0 to oAuth 2.0.
  3. Google API supports oAuth 2.0. But they have still marked it as an experimental. Is it good to start shifting even though it is experimental?

  4. I see while registering an application on google (for oAuth 2.0), they ask for callback url. If a single application uses a condition dependent callback url such as -

    if($myVar == NULL) $callbackUrl = 'http://www.mydomain.com/test.php?m=f&params=null' else $callbackUrl = 'http://www.mydomain.com/test.php?m=x&params=1'

How can i implement above when the callback url is already specified? The above conditional mainly handles fallback model of an application or if browser supports java then java based model of an application. Kindly suggest

  1. May i know how many of email providing websites and social networks supports oAuth 2.0?
Vinay Jeurkar
  • 3,054
  • 9
  • 37
  • 56

1 Answers1

9

  1. Yahoo does not support OAuth2 yet, only Oauth 1.
    Microsoft does support OAuth2. http://msdn.microsoft.com/en-us/library/hh243647.aspx

  2. Oauth 2 is simpler since it uses SSL (HTTPS) to provide transport security, so the signatures and token-secrets are not needed. When you switch you will need to re-implement your OAuth flow. I can't think of any specific security measures specifically applicable to upgrading from OAuth1 to OAuth2, but the spec details some security considerations in section 10 (The parts applicable to clients are 10.3, 10.4, 10.5, 10.6, 10.8 and 10.9).

  3. The OAuth2 specification is still not finalized, and may change. You could begin to implement your OAuth2 flow with Google, but bear in mind that it is possible that names or requirements of parameters, endpoints etc. could change and your application will break / you will need to make changes in future. [Experimental Features] could change (or even be removed) at any time. It is probably a bad idea to use experimental (or beta) software in a critical production environment.
    Also, not all Google services support OAuth2 at the moment. eg. If you want to use OAuth for IMAP access to Gmail you will have to use OAuth1 for now.

  4. In the API Console, you can specify multiple callback URLs for your OAuth2 application, one per line. An alternative would be to store your 'm' and 'params' parameters in a browser session / cookie and do the redirect to the correct page once authorization is complete.

Support (some revision of) OAuth2: Facebook, Microsoft/Live, Google (with exceptions described above), Foursquare, GitHub, Gowalla, GeoLoqi, Salesforce.
Support OAuth1 Only: Yahoo, Flickr, Twitter.
Source.

Community
  • 1
  • 1
Crashthatch
  • 1,283
  • 2
  • 13
  • 20
  • (Came via Google)Logged in to add that twitter got 2.0 after this post – Joe Plante Apr 22 '13 at 19:48
  • twitter oauth 2.0 support is limited to only application only authentication. for user authentication still oauth 1.a. since I was looking for twitter 2.0 support few days back, I got curious. for details - refer [here](https://dev.twitter.com/docs/auth/application-only-auth) – Sushil May 17 '13 at 10:18