Sunday, November 8, 2009

Google's OAuth doesn't seem to support wave as a scope yet?

After releasing Unofficial Google Wave Notifier, many people have claimed it may steal gogle password.
They are right. you should not trust me nor the app. From beginning I know the issue, I'm sorry, but I'v neglected the security concern as I hasten to release the app.
(A poor execuse to prove my innocence. I open the source. Suspicious users should review the source and build a binary from reviwed source.)

Current version (0.4) of the app uses ClientLogin for Installed Applications for authentication. In the process, apps handles passwords immediatly.

By contrast with ClientLogin, apps which uses OAuth for Installed Application handles oauth tokens instead of precisous passwords.

It is obvious that I should choose OAuth. However I can't get it so far. At OAuth Playground, I tried to get oauth_token. The paramerters I specified are:
scope: https://wave.google.com/wave/
oauth_signature_method: HMAC-SHA1
oauth_consumer_key: anonymous
consumer secret: anonymous
And the response is:
Invalid scope: https://wave.google.com/wave/


By choosing other scope, I can get a oauth_toke.... I missed something? or Google doesn' support wave as a oauth scope (yet)?

3 comments:

Miquong said...
This comment has been removed by the author.
infowish said...

I'm looking for this too!

I've made a google wave notifier for facebook and I have to save people's email and password, which is ugly.

No one should trust my application either, so I guess no one will use it until I can use oauth too.

hiroshi saito said...

Hi infowish,
So I pray to Google for giving us an oauth token for wave...