Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
Get a devDuck
Rubber duck debugging has never been so cute! Get your favorite coding language devDuckBuy Now
Search - "oauth"
The GET /users endpoint will return a page of the first 13 users by default.
To request other pages, add |-separated querystring with the limit and offset, as roman numerals enclosed in double quotation marks. Response status is always equal to 200, plus the total count of the resource, or zero when there's an error.
You can include an array of friends of the user in the result by setting the request header "friends" to the base64-encoded value of the single white pixel png.
Other metadata is not included by default in responses, but can be requested by appending ?meta.json to any endpoint, which will return an xml response.
If you want to update the user's profile picture, you can request an OAuth token per fax machine, followed by a pigeon POST capsule containing a filename and a rolled up Polaroid picture. The status code attached to the return postal dove will be the decimal ASCII code for a happy smiley on success, and a sad smiley if any field fails form validation.
-- Every single external REST API I've ever worked with.7
Dear Google OAuth,
you might hate me since i spammed you the whole day with access token requests.
But this is all your fault. Because you never gave me ONE SINGLE SHITTY TOKEN!!
WHAT THE FUCK IS THIS "BAD REQUEST" ERROR MESSAGE?!
You're a rich as shit company with thousand and thousands of employees.
OAuth is one of your essentials cause it handles the access to all your services.
So why the hell i cannot get some smart errormessage to debug my shit.
You are like my gf, when she is mad at me and does not tell me why. But even she is a lot easier to debug!8
Just found out the backend developer I’m always complaining about. The one who:
- Can’t implement OAuth, and we have to have app users login every 24 hours because we have no way to generate new refresh tokens.
- Who used the phrase “your time zone is not my concern” to avoid building something that would let us inject test data.
- Who’s been debugging a critical bug affecting many users since December.
- Who can’t conduct API tests from external internet (you know, like the way the app will be in the wild) because it takes too much time.
- Who replies to Jira tickets only on a blue moon.
- Who has been 90% of the reason for my blood pressure situation
... is a fucking principal engineer in this company. In pecking order, his opinion should be considered more valuable than mine and everyone on my team.
I’ve just lost the will to live. How are big organizations THIS bad. Seriously, what promotion discussion did he go into
“So, you are a complete and utter bastard, nobody can stand to speak to you and you’ve yet to deliver anything of worth that actually works, over the course of several years ... ... ... interested in having your pay doubled??”20
Me: *Installs travis*
Dev: oh what's travis?
Me: it's a continuous integration tool I wanna setup.
Dev: ... contin.... ?
Me: continuous integration, a tool that performs builds.
Dev: ah!, is it the new version of that deprecated tool we were using "client access"?
Me: ... no ... that's an authentication service that generates and stores oauth tokens. This is the continuous integration tool I told you about yesterday (and last week and the week before).
Dev: ... contin....
Me: ... con ........ continuous integration. It listens to branches on GitHub, downloads, builds, tests and then deploys the code.
Dev: ah ok ok, cool.
I would bet my monthly fucking salary he can not repeat what I said, tell me what oauth is, or explain what he's working on at the minute.
Jesus at this rate I'd bet my salary he can't tell me my name.7
First rant, please take pity on the noob! 😐
Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫
Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...
... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.
So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.
Makes you consider the amount of control these big companies have over your life 😶16
Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
UX bought to you by the glue sniffers of Microsoft's oAuth console for your webapp. "I tried to SAVE, but accidentally nuked my account instead" oops!8
Made a simple college project using Node.Js, MongoDB, React... Wrote everything from scratch, starting from HTML to CSS and Routes even OAuth. No template was used.. Guess what teacher said...
She said I love the second project made using wordpress template because, "It looks amazing and beautiful"
One of the reasons why I hate college...11
I have been strongly considering writing a small fb app today named something along the lines of "Hack your fb friends - for realz". Then add basic oauth (You have to login to pick the friend to hack duh), retrieve their friends list and then publicly post to their own timeline and the friends they chose humorously stating they attempted to hack the persons account "for realz". You know just enough to alert people that the "hacker" is a idiot with bad intentions but with just humour enough to fall under "satire" so fb doesn't remove it.
If your bored please feel free steal and implement my idea, it's hereby open sourced and I will even fund this shit on kickstarter 😂6
If your site asks me to log in and doesn't implement OAuth with Google or at the very least Facebook then go fuck yourself.
I have enough usernames and passwords in my head, I don't want more.10
I fucking hate my boss so much
He looks down on me like I’m some idiot who doesn’t know his shit.
The other day he was trying to explain OAuth2.0 to me in the most dumbed down way ever, even after telling him I do already know how OAuth 2.0 works. He just said “oh well just making sure” and continued explaining it to me the exact same way. Felt shitty having something explained to you which you already know in such a way in front of all of your coworkers
Whenever I give my thoughts on something he answers with an argument that’s essentially true but pretty stupid:
B: “We don’t need to bundle our JS files” (see my other rant)
M: “Our load time is around 15 seconds though and it takes forever to update our script tags”
B: “Yes but it’s only 15 seconds once and the tags are already there so it’s fine”
How do you reply to something like that??
On top of that, his code is absolutely awful, always looks hacked together, lacks documentation and i don’t think he has written a unit test in his life
Facebooks "graph" or API's in general fucking stink donkey dick.
Their implementation of oAuth is horrible.. 3 different tokens, which can be either short or long lived, for fetching a facebook page feed (the clients own facebook page)
To that you add a clientID and a ClientSecret.
Great... after painstakingly reading confusing documentation and itching your head... You get it to work.
Then they, without notice, makes a breaking change of deprecate an endpoint you were using.. Jesus..
And all the support you can get comes from a "community group" which may or may not reply with a generic link to their documentation...3
When you're a hardcore web developer, the only 'action' you .get() is when you're writing a login form scraper for your three-legged oauth flow in Python7
Currently working on my first real REST api and I've arrived at the authentication part.
I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))
This should be usable for anything like ajax requests to calls from the backend to curl requests.
Looking forward to ideas!32
I get very annoyed by sites that ask for too many privileges. If I want to comment on some post why would I give write access to all my source code repositories?1
Dev.to app asks me to type in my github username and password into the github login page opened in their app. Is there no better way to do OAuth on Android apps?8
Skip away if you have zero interest in CurseMeSlowly's personal craps.
These days I am either slacking or working on things I like. Hence the lack of ranting.
So one of those "working-on-things-I-like" activities is my slow and snaily collab project. 😅 Today I am aiming to accomplish like 0.1% of it 😆 by finishing the github login feature. I have done the OAuth part. Just left with designing table structures and storing user data.
I plan to save login credentails into *users* table and other app related data into *profiles* table. That's what we usually do with users and profiles anyway. But I'm stil having a little bit of doubt regarding the proper way to store the game statistics like user's health, user's experience level etc.
If I am just showing the current statistics on the app, then those 2 tables are enough. But what if we want to see the progress of a user? hmm 🤔
I guess I will just leave it to decide later. 😬
If you don't know about it please check here https://cursemeslowly.github.io/dev... Any form of contribution is warmly welcome 🤗3
Hey guys! I need help!
I started to write a blog about the stuff I currently investigating: How to combine React, Oauth and Node.js.🤯
However, my penmanship isn’t that good.
So I’m looking for some nice stock images for good meme and funny pictures to support my writing.
Does Anybody know where I could download a nice bundle instead of google them one by one?🤔6
That's it, where do I send the bill, to Microsoft? Orange highlight in image is my own. As in ownly way to see that something wasn't right. Oh but - Wait, I am on Linux, so I guess I will assume that I need to be on internet explorer to use anything on microsoft.com - is that on the site somewhere maybe? Cause it looks like hell when rendered from Chrome on Ubuntu. Yes I use Ubuntu while developing, eat it haters. FUCK.
This is ridiculous - I actually WANT to use Bing Web Search API. I actually TRIED giving up my email address and phone number to MS. If you fail the I'm not a robot, or if you pass it, who knows, it disappears and says something about being human. I'm human. Give me free API Key. Or shit, I'll pay. Client wants to use Bing so I am using BING GODDAMN YOU.
Why am I so mad? BECAUSE THIS. Oauth through github, great alternative since apparently I am not human according to microsoft. Common theme w them, amiright?
So yeah. Let them see all my githubs. Whatever. Just GO so I can RELAX. Rate limit fuck shit workaround dumb client requirements google can eat me. Whats this, I need to show my email publicly? Verification? Sure just go. But really MS, this looks terrible. If I boot up IE will it look any better? I doubt it but who knows I am not looking at MS CSS. I am going into my github, making it public. Then trying again. Then waiting. Then verifying my email is shown. Great it is hello everyone. COME ON MS. Send me an email. Do something.
I am trying to be patient, but after a few minutes, I revoke access. Must have been a glitch. Go through it again, with public email. Same ugly almost invisible message. Approaching a billable hour in which I made 0 progress. So, lets just see, NO EMAIL from MS, Yes it appears in my GitHub, but I have no way to log into MS. Email doesnt work. OAuth isn't picking it up I guess, I don't even care to think this through.
The whole point is, the error message was hard to discover, seems to be inaccurate, and I can't believe the IRONY or the STUPIDITY (me, me stupid. Me stupid thinking I could get working doing same dumb thing over and over like caveman and rock).
Longer rant made shorter, I cant come up with a single fucking way to get a free BING API Key. So forget it MS. Maybe you'll email me tomorrow. Maybe Github was pretending to be Gitlab for a few minutes.
Maybe I will send this image to my client and tell him "If we use Bing, get used to seeing hard to read error messages like this one". I mean that's why this is so frustrating anyhow - I thought the Google CSE worked FINE for us :/
Sorry guys but I have to vent!
I made such a stupid mistake I want to kill myself right now. In short you can call it ignorance..........
I spent so many hours trying to find a solution to a problem of invalid signatures being reported by an OAuth provider I'm making, just to find that Chrome was blocking requests to http.
So it was not a problem, to begin with. Aaaaarrh........ I'm so mad at myself.3
Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.4
Im new on GitHub, and google didnt give me an answer simple enough for me to understand, so here i go.
How do i commit to GitHub and keep my files up to date, but without committing my password/oauth tokens?
Does one remove the line before committing, or what are you supposed to do?
Im using IntelliJ, dark theme11
My manager gave me a project about integration & deployment to another internal product which involves consuming oauth credentials which were already available in AmazonS3. The worst part of this is I wont have any access to any AWS resources and no sandbox environment.
And I'm like. How the fuck should I do this? Should I just conceptualize and pray to the machine spirits and hope that this wont have any fucking issues?
Last year for company I work I made OAuth server + SSO discriminated by business unit in php. Well it was quite complex project and security sensitive, so I wrote tests for every piece of code. Then I made client for it with abstractions to be easily extendable, but was too lazy write tests for it.
Anyway, today needed to add new grant auth strategy. Thought, I could also write tests for the client this time. That was the mistake...
I installed codeception (testing framework), tested every class, and then left the main client class for the end where all http communication and other magic happens.
So turns out, I can’t capture function parameters with codeception (at least its not documented), so I can’t assert if data in the end is correct. I mean it’s fucking abstraction on top of phpunit, which can do that, so what the fuck? But ok I probably could just use phpunit, but anyway why the fuck you would create mock abstraction with only 20% of functionality from original implementation? It doesn’t make fucking sense...
In addition, I was testing code written with guzzle http (http client), and that is some pile of shit. Just why the fuck I need to write 20 lines of code just to get a fucking json response...
Fuck this shit, I am not going to test it anymore, it just makes me hate php, I barely can deal with all that angryness inside me.
I recently finished high-school and got a job in PHP Development. My employer told me to make a simple app wich OAuths you to your Discogs account and receive your library list. I got hired afterwards and now i work on a huge project which launches in less than 2 weeks. The day i got my job i havent worked with Laravel but ~ 3 days.
When you need to learn something due to the pressure, you'll learn faster. It's the same as learning a new language - I'd rather go to live in a country where it's mainly spoken that language and learn it due to the necessity than buy courses online.
I really wanna get into making Reddit bots but man, OAauth2 is really turning my head into a pretzel :(
anyone know a good tutorial?4
Basic REST server authentication: pass a valid username in the URL of your request and you can publish trade and market data that's used by other systems.
I think they're moving to oAuth now but... These developers are slow and only do things when a gun (Sr. Management) is held to their heads.
Wrote a whole http request script to do direct calls to google woth the whole oauth, which where successfull, and after all this work the request responds with a fuck you, the account does not exists response. Apparently it does not give authorization for service accounts and i will be forced to use the google api request to make this fucking thing work. Fuck google.
Cure for Imposter Syndrome:
Go try to find a freelancer for a project, for something like "adding OAuth to existing .net web API 2 and angular.ja project" and many many developers respond. You will be shocked at how little they know, they say they understand the job but are clearly incompetent.
Best job security ever. Also, just suck it up and do it yourself 😆
I'm thinking about creating a central login system for all my websites, where you get redirected to and then login/sign up and then be redirect back. A bit like oAuth.
I have a few websites (and more in development) that use a login system, so that could be really useful to have... Especially because all of them are built from scratch and have their pros and cons. And security wise it's easier to concentrate on one system instead of all of them.
Another benefit is that you save some DB space, if you have lots of users!
And of course the users benefit from it as they'll be able to use all my websites with a single account.
What do you think about it?
I'll still need to do a bit of research on security but other than that, I only see benefits!2
Who in their right mind would do this / think of this....
Salesforce has the option use their API. Either via SOAP or Rest. At my work we currently use SOAP and I wanted to rewrite that to Rest. Fine, you would say.
Their Rest API uses oAuth, nothing fancy you would think. But those motherfuckers, per default have the option enabled that the refresh tokens you get via the necessary API calls are being marked expired the moment the API gives them to you... Then why the hell give them in the first place.
It took me 2 hours of my life to figure out, why in godsname all my refresh tokens were marked as expired. Fuck you Salesforce, I want those 2 hours back! God fucking damn it... I really fed up with this type of bullshit!!
I've got a bit funny situation.
I wanted to make small application to speed up my dad's job, app is about duplicating models in X website (I don't want to say directly what website).
So I started by checking it has API, Yup, It has, but you need OAuth ID, to get it you need to write to support.
So I did it, my mail was something like that: "Hello, can I get access to your API, I want to make app to duplicate models with same settings, Thanks"
I've got an answer like that "Hello, our website doesn't have duplicating feature."
My reaction was: Wtf? I know it doesn't have that feature, That's why I want to make it. How did he get hired as technical support?
Maybe it's not the most exciting story, but I thought it could be intresting :)
#OAuth logic: Lets make OAuth1.0 simpler for clients.. TADA.. OAuth2.0.. OAuth1.0 looks simpler now??!!
When the security team decides they want to reinvent the wheel instead of accepting standards like OAuth.1
“Not a security guy” no more😼
I already completed 10/16 chapters of this book, including formatted and updated every code example in the github repo.
There’re lots of fillers in the book.
😑Lots of repeating samples.
The nosql part in node.js is completely broken.🤯
The code mixed with space and tab, so I have to format it before starting the exercise. 🙀
The git repo has about 150 forks, it makes me wonder how many copies they actually sold, since the entire book is closely tied to code samples.🤔1
I have a question, let's say I have a website and app both using oAuth facebook login. Should I save the access token provided by facebook in my database and if I should, what will happen to the access token when user logins with facebook on website and then login again with the app? is that mean access token is going to be overwritten by new login? and do you have any other suggestions for 0auth integration?3
Doing the Full Stack Nanodegree from Udacity
Using Google's oAuth Sign in in my Flask App, I realized that no matter what browser I use, I was unable to logout, Google always threw an error my way. I figured something must be wrong with my code..
Searched on Google, couldn't find anything relevant, gave up on first 4 results(not pages, yeah I'm that lazy!)
Spent 3 hours Debugging at different points, removing all the abstraction I've put in using various libraries (Bad move)
Finally it dawned on to me to check Udacity forum as well. It's a frickin cache/cookie thing. Tried the app in an incognito window, worked like a charm. Reverted code back with all the libraries, worked like a charm again!
FUCK YOU GOOGLE! In your attempts to track users, you're even making our work difficult!
(in hindsight, I should probably be better at asking/looking for help)1
Hey i want to make a chat application for production workload with more than 100000 simultaneous connection and more than 1000000 daily active user which will scale 100 times in coming 1 to 2 years for Android. I have oauth based user authentication. This chat should be able to authenticate and verify authtoken generated using the oauth. What should i use? Xmpp, mqtt or something else. Can anyone who has worked on chat application help me.6
Having so much fun with pug, and nodejs last week,
Building a demo OAuth 2.0 authentication server to simulate GitHub OAuth’s behaviour.
In the next step, I will deploy it on aws for more testing.
Blog on the way...🤞
BTW, they actually built a package for render pug to React components🙄
What's the point of the Gmail API if you can do all of its functions with IMAP or POP3 and not have to have user login oauth, just account and password?
I wanted to read a company email account for certain emails related to our tickets. No one actually accesses this account, and the tool is without a GUI. As such, I can't use the Gmail API. I just remembered there must be a more ordinary way to do this because how does Outlook and other email software work? So python import imaplib and I was done in a few minutes.
Need some assistance with Drupal and Dreamfactory.
Dreamfactory is an amazing piece of software that basically turns any database into a REST API. I mean any DB from SQL Server to MySQL and all kinds of others. For a connection to the API it uses JWT (JSON Web Tokens) which expire momentarily.
On Drupal, there's wsdata and rest client modules. Restclient is a module where you configure a connection via OAuth or HybridAuth to a rest server. The problem is that the rest server for dreamfactory uses JWT and i'm not sure how to get Drupal and restclient to connect that way.
DAMN IT TO HELL
six. SIX videos ive seen. read docs. and tutorials. and still dont know how to even start
you want oauth for facebook and spotify sureee i can
but for defualt?
and an api mock online?
This weeks a joke right 😂, the recent day 0 Microsoft bug that allows anyone to get hacked, and allow someone to do whatever the hell they want.(as you can pretend to be any program on the computer)
Or the super user hack on Linux recently patched... Day 0....
The fact 80% of devs implement oauth incorrectly... So their user accounts are hackable...
Need I go on?1
*Triggers OAuth request through browser
Returns : success and valid tokens.
*Another project triggers the same process and code.
Returns : well shit nigga, I know I use the same logic as above but fuck you.
Why there has to be So Many legs to the OAuth....
3 Legs... Wtf...
Make it a fkin...Octopus OAuth
Why so many legs to a Dumb API ??!1
Anyone here implemented an oauth2 server in python?
I've been researching it for a fair bit, and it just seems like a giant swamp that I'd rather stay away from (ex: https://hueniverse.com/oauth-2-0-an...)
It also feels needlessly work intensive and (at least on the server side), underdocumented.
I'll probably be making my own custom solution.
Was working on OAuth2 in unity (first time oauth attempt)
Could not get my token for like a month... Then a friend was line per lining my code, ; =\= :
It worked after that :'(2
Anyone knows how to hash the OAuth 1.0 signature with RSA-SHA1 using PHP? Using only the value to be hashed and a key?3
Apparently, Spotify requires auth on all of their endpoints. So now, if I want to write a simple CRUD app I have to deal with fucking OAuth.2
Hey guys. Anyone subscribed to Symfonycasts? It is like Laracasts. Can I download all videos there as well while I'm subscribed to them?
How are the tutorials there? I want to download and watch the oAuth 2 tutorial there. Thanks!5
Can anyone help me with NativeScript social Oauth login with Vue.js ? I've been trying to figure out how to implement it. Thanks in advance.
I have seen references to API keys in several places. I have setup a few for various web services. However, I don't have a firm understanding of how they are protected (or not protected) from being copied and used by apps other than my own. I read a quick blurb from Google that said to use regular authentication over API keys due to them being able to be copied.
So my questions are: Are API keys just a bad way to subscribe services? Is there a way to protect them from being discovered? Maybe the app logs into a auth point for your services and is served the key to use with other services? But this key could still be gleaned from memory. Are API keys going to go away maybe in deference to things like oauth?6
Any grails dev here? I needed some help urgent but can't seem to get any answers from the internet or even the question I posted on SO. Here's the question:
MRW I deploy to production server and forget to add a server domain in "OAuth redirect domains" in Firebase.
Before that I was debugging for 6 hours without success.1