Issue #66 on hold
Anonymous created an issue

As far as I can tell, django-piston only supports version 1.0 of the OAuth spec, which has a major security vulnerability. Changes in 1.0a are quite small, and well-explained here:

The main change is proper handling of the new oauth_verifier.

One thing to pay attention to is that I'm not sure whether piston currently conserves pre-existing query parameter sent with the callback URL correctly (this is now especially important to many consumers).

Comments (14)

  1. Jesper Noehr repo owner

    After debating this on IRC for a bit, David and I have agreed that django-openid would fit nicely as an oauth dependency for piston. After dj-oauth has been synced with the changes from piston, David will be in charge of the changes needed to make the collaboration happen.

  2. Sandy Armstrong

    We really need OAuth 1.0a support in Snowy [ ], so we'll probably be working on a patch for our local copy of Piston.

    I'm a little confused about Jesper's last comment, though. Is it a typo that you said "django-openid would fit nicely as an oauth dependency for piston"? Did you mean "django-oauth"? If not, what does django-openid buy you in this case?

    I'd hate to work on a patch that won't be accepted by upstream. Can you provide any more details on the implementation you'd prefer?

  3. Sandy Armstrong

    Looking at in django-piston tip, it seems that the 1.0a stuff from has already been merged, as Jesper said he would.

    And I'm understanding better the relationship between and django-piston (and django-oauth). I haven't looked yet to see how much refactoring would be required to make django-piston depend on django-oauth, but it seems that with the changes merged in, patching in 1.0a support should not be that difficult. I'll try to get to this within the next week or two.

  4. Log in to comment