Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
jbrave
Channel Surfer

Oauth 2.0

Has anyone implemented Oauth 2.0 in a Roku app? Or 1.0a?

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
8 REPLIES 8
hoffmcs
Visitor

Re: Oauth 2.0

1.0a exists in the twitter example from the SDK. Also, I have it implemented in the Picasa and SmugMug channels. Picasa is based on the twitter example while SmugMug was done by me before that was out. http://bitbucket.org/chrishoffman/
0 Kudos
jbrave
Channel Surfer

Re: Oauth 2.0

Hi, thanks for responding. In the Twitter app in the SDK it says 1.0, not 1.0a:

Function InitOauth(appname As String, consumerkey As String, sharedsecret As String, version="1.0" As String) As Object

I also have a question about the authorization screen in the Twitter app - it essentially requests the user to type in a ridiculously long string on their browser and suggests that the developer use a URL shortenting service to handle this, but I don't think I've encountered anything like that with Pandora or other services when I linked them to my Roku. Is there some simpler way around this? Does the user _have_ to go to a web browser to link, or is there some way to link an account to an oauth based service directly from the Roku screen?

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
hoffmcs
Visitor

Re: Oauth 2.0

1.0a is only relevant for three-legged oauth, which most things here are not, due to a security issue identified in the first version. There are no real difference between the two that you need to worry about.

I got around the long string issue (as have Pandora, Netflix, etc) by developing a simple linking page. Mine is built on Google App Engine and it handled all the long strings and simplified the workflow to a standard web app. What is nice is you get very generous free limits on GAE (which I have not gotten even close to). All the code for this is also available at http://bitbucket.org/chrishoffman/appengine-rokulink. This also uses the recommended rendezvous linking method of the Roku.
0 Kudos
jbrave
Channel Surfer

Re: Oauth 2.0

Chris, do you mind explaining that last post in a bit more detail?

As I understand it, 1.0 has a serious vulnerability, so anyone who uses it can get their account hacked, thus 1.0a. Are you saying that the example uses 1.0a but says 1.0, or are you saying that 1.0 is what the example uses and that we shouldn't worry about the security issue?

Also, is the twitter example not using "three legged auth"?

Thanks for the link to the auth-engine system, I'm actually trying to wrap my head around Google AppEngine myself right now (for another project) so any examples that use it are helpful.

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
hoffmcs
Visitor

Re: Oauth 2.0

Forget what I said about the leggedness and how it relates to security. I did all this oauth stuff awhile ago now and did not remember it correctly. I believe the twitter example is 1.0a since it uses the oauth_verifier token. It looks like from the twitter docs, you provide 1.0 for the version no matter what you use. It is more about the flow you use in the 1.0a spec instead of the version you use.

More about the exploit:
http://hueniverse.com/2009/04/explainin ... on-attack/

And twitter's implementation of 1.0a.
http://dev.twitter.com/pages/auth
0 Kudos
jbrave
Channel Surfer

Re: Oauth 2.0

Hi Chris,

one last question: where does one get the Consumer Secret and Consumer Key for authenticating with Google Apps? Do they have a reg page the way Twitter does where you register your app and get your key? I can't find one.

- Joel
Screenshades: The first Screensaver for Roku2!
Musiclouds: The best free internet music, on your Roku!
Ouroborialis: Psychedelic Screensaver for Roku!
0 Kudos
TheEndless
Channel Surfer

Re: Oauth 2.0

Not sure, but this looks like it might be the place: http://code.google.com/apis/accounts/do ... sAuto.html
My Channels: http://roku.permanence.com - Twitter: @TheEndlessDev
Instant Watch Browser (NetflixIWB), Aquarium Screensaver (AQUARIUM), Clever Clocks Screensaver (CLEVERCLOCKS), iTunes Podcasts (ITPC), My Channels (MYCHANNELS)
0 Kudos
hoffmcs
Visitor

Re: Oauth 2.0

Yup TheEndless is right, that page explains the whole process. You can directly manager your domains at this page https://www.google.com/accounts/ManageDomains.
0 Kudos