Documentation on setting/generating oauth_verifier missing

[Dynalon]

There is no documentation that tells one how to set or generate an oauth_verifier, but creating a random verifier and validating it is crucial to security. Additionally, in the Provider example on GoogleCode, there is no OAuth10AInspector added, which is UTMOST important to include, else the whole service can be compromised (as only the OAuth10AInspector verifies that the Verifier is actually the one in the token store). Without this Inspector, a client could just invent a verifier and would get (falsely) authenticated.

I've went through the code and I can't find any place where the IToken.Verifier field is generated/set (except when it is retrived to the POST data/Headers). I thus use the following in my code to store a Verifier (in the authorize step):

var context =  new OAuthContextBuilder ().FromUri (Request.HttpMethod, Request.Url);
var token = OAuthHandler.RequestTokens.GetToken (context.Token);
token.Verifier = Guid.NewGuid ().ToString ();

Please provide a better documentation regarding
a) Incldue a note that provider implementation must ALWAYS have OAuth10AInspector present
b) How to generate a oauth_verifier and storing it in the request token store

[bittercoder]

The googlecode site is old and should not be used as a reference.

The latest provider example is on github here:

https://github.com/bittercoder/DevDefined.OAuth-Examples/tree/master/src/ExampleProviderSite

And does demonstrate using the class DevDefined.OAuth.Utility.UnguessableGenerator to generate a verifier value.

The DevDefined.OAuth library is quite old - so was written originally prior to OAuth 1.0a against this standard:

http://oauth.net/core/1.0/

When OAuth 1.0a was introduced, support for 1.0a was implemented via additional inspectors, allowing people to still build 1.0 compatible clients/providers at the time.

Since then (and after I stopped actively developing DevDefined.OAuth for my own needs) the RFC5849 OAuth 1.0 standard came out, which again supersedes OAuth 1.0a.

Currently there are no new inspectors introduced for this RFC (so the DevDefined.OAuth codebase did not change from 1.0a to the release ofRFC5849).

Sorry about the lack of documentation - I'm not actively developing this project any longer, as it currently scratches my itches, and for future projects would generally favor OAuth 2.0 over 1.0 when implementing a new provider, unless having to support a technology such as open social gadgets.

Cheers,

Alex