Can OAuth access tokens be used for securing Permanent access to an account?

views:

126

answers:

Can OAuth access tokens be used for securing Permanent access to an account?

Can I use the request token given by the OAuth provider and use it forever? I am looking to build a service which interacts with the Delicious api and looks for updated bookmarks every fortnight. I was just wondering if I could use the same request token instead of asking the user to authenticate again and again. If I cannot, which is what I guess the answer will be, what would be a best practice for such an action?

My last option would be to expect users to give up their delicious username and passwords to me, in which case, my job becomes extremely easy.

This is implementation-specific - you'll have to see what the Delicious docs say about the token. It may expire, have limited uses, or have side effects when used.

Most OAuth implementations will probably expire their tokens at some point to reduce the number of valid tokens they have to keep track of.

In general, user-agent help should make this less of an issue for SSO authentication systems - when the user shows up without a valid token, the browser is redirected to the authenticator, which looks at stored credentials on the browser (usually cookies) and redirects the user back with a new token, without any user interaction. This can be more complex for OAuth than for OpenID, since it might not be appropriate to issue a new token if it does more than authenticate. And since the authentication/authorization process is implementation specific, you need to be able to enter new credentials unless you know that the token will be valid.

Karl Anderson 2009-12-09 20:02:08

True, I agree with the logic that OAuth tokens should expire after a certain time. But since OAuth was thought of a secure mechanism to access a data from a third party, there should be some modifications to make it more sensible. Given that there are a lot of third party integration/aggregation/value added services, there must be a mechanism to get a permanent handle to a persons account (of course this could be validated on a particular domain - like an application id -verfied by publishing a file on your server).

Ritesh M Nayak 2009-12-10 05:02:00

... That way, the user can always control who uses his/her data, can block it an individual level or at a domain level. Asking the user to enter credentials every time the OAuth token expires is really painful in terms of user experience.

Ritesh M Nayak 2009-12-10 05:03:47

The point is that this is outside the scope of OAuth. If you want this, you need to work with an OAuth system that provides it. OAuth doesn't prevent permanent tokens from being issued, it just doesn't require it.OAuth and OpenID can be used do exactly what you want when a user-agent is involved. For example, I've only had to enter credentials for StackOverflow once, even though the token has probably expired since I first logged in.

Karl Anderson 2009-12-10 19:12:24

probably not answering your questions directly, twitter oAuth allows to have a permanent request token.

James Lin 2010-10-07 01:39:47

ansaurus

tags:

views:

answers:

Can OAuth access tokens be used for securing Permanent access to an account?

related questions