Help

Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jbrave
Channel Surfer
‎11-08-2010 12:58 AM

Oauth 2.0

Has anyone implemented Oauth 2.0 in a Roku app? Or 1.0a?

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
Reply
8 REPLIES 8
hoffmcs
Visitor
‎11-08-2010 03:34 AM

Re: Oauth 2.0

1.0a exists in the twitter example from the SDK. Also, I have it implemented in the Picasa and SmugMug channels. Picasa is based on the twitter example while SmugMug was done by me before that was out. http://bitbucket.org/chrishoffman/
0 Kudos
Reply
jbrave
Channel Surfer
‎11-08-2010 01:07 PM

Re: Oauth 2.0

Hi, thanks for responding. In the Twitter app in the SDK it says 1.0, not 1.0a:

Function InitOauth(appname As String, consumerkey As String, sharedsecret As String, version="1.0" As String) As Object

I also have a question about the authorization screen in the Twitter app - it essentially requests the user to type in a ridiculously long string on their browser and suggests that the developer use a URL shortenting service to handle this, but I don't think I've encountered anything like that with Pandora or other services when I linked them to my Roku. Is there some simpler way around this? Does the user _have_ to go to a web browser to link, or is there some way to link an account to an oauth based service directly from the Roku screen?

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
Reply
hoffmcs
Visitor
‎11-08-2010 01:20 PM

Re: Oauth 2.0

1.0a is only relevant for three-legged oauth, which most things here are not, due to a security issue identified in the first version. There are no real difference between the two that you need to worry about.

I got around the long string issue (as have Pandora, Netflix, etc) by developing a simple linking page. Mine is built on Google App Engine and it handled all the long strings and simplified the workflow to a standard web app. What is nice is you get very generous free limits on GAE (which I have not gotten even close to). All the code for this is also available at http://bitbucket.org/chrishoffman/appengine-rokulink. This also uses the recommended rendezvous linking method of the Roku.
0 Kudos
Reply
jbrave
Channel Surfer
‎11-08-2010 01:51 PM

Re: Oauth 2.0

Chris, do you mind explaining that last post in a bit more detail?

As I understand it, 1.0 has a serious vulnerability, so anyone who uses it can get their account hacked, thus 1.0a. Are you saying that the example uses 1.0a but says 1.0, or are you saying that 1.0 is what the example uses and that we shouldn't worry about the security issue?

Also, is the twitter example not using "three legged auth"?

Thanks for the link to the auth-engine system, I'm actually trying to wrap my head around Google AppEngine myself right now (for another project) so any examples that use it are helpful.

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
Reply
hoffmcs
Visitor
‎11-08-2010 05:17 PM

Re: Oauth 2.0

Forget what I said about the leggedness and how it relates to security. I did all this oauth stuff awhile ago now and did not remember it correctly. I believe the twitter example is 1.0a since it uses the oauth_verifier token. It looks like from the twitter docs, you provide 1.0 for the version no matter what you use. It is more about the flow you use in the 1.0a spec instead of the version you use.

More about the exploit:
http://hueniverse.com/2009/04/explainin ... on-attack/

And twitter's implementation of 1.0a.
http://dev.twitter.com/pages/auth
0 Kudos
Reply
jbrave
Channel Surfer
‎11-09-2010 05:46 PM

Re: Oauth 2.0

Hi Chris,

one last question: where does one get the Consumer Secret and Consumer Key for authenticating with Google Apps? Do they have a reg page the way Twitter does where you register your app and get your key? I can't find one.

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
Reply
TheEndless
Channel Surfer
‎11-09-2010 05:50 PM

Re: Oauth 2.0

Not sure, but this looks like it might be the place: http://code.google.com/apis/accounts/do ... sAuto.html
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
Reply
hoffmcs
Visitor
‎11-09-2010 06:32 PM

Re: Oauth 2.0

Yup TheEndless is right, that page explains the whole process. You can directly manager your domains at this page https://www.google.com/accounts/ManageDomains.
0 Kudos
Reply
Need Assistance?
Welcome to the Roku Community! Feel free to search our Community for answers or post your question to get help.

Become a Roku Streaming Expert!

Share your expertise, help fellow streamers, and unlock exclusive rewards as part of the Roku Community. Learn more.
Top