As mentioned on the OAuth site (http://oauth.net/advisories/2009-1) and here on the forum (http://dgrin.com/showthread.php?t=128568), due to a security advisory the OAuth APIs for SmugMug have been disabled. Since the post on the forum was not directly related to the OAuth issue, I thought I would start the topic here and find out any updates or plans for the direction of OAuth and SmugMug at this point? If it's going to be in the months time frame before there is a workable solution, then we will want to implement traditional login authentication in our application as the app just appears broken right now. If SmugMug is working on or has a solution you are going to go forward with, then it would be good to know so that we aren't wasting time moving away from the OAuth spec in our application. Anyway, thanks for any more info you can provide.

Nooo! And just when I finally got around to using OAuth for several projects (thanks to the wonderful phpSmug, which allows me to know nearly nothing about OAuth.)

This sucks. :-{

Hey Guys,

We temporarily disabled OAuth, as precaution while we added additional logging to look for abuse outlined in the exploit.

My changes are committed and waiting to go live...so hopefully it will be back in action soonish.

Cheers,

David

Hey Guys,

We temporarily disabled OAuth, as precaution while we added additional logging to look for abuse outlined in the exploit.

My changes are committed and waiting to go live...so hopefully it will be back in action soonish.

Cheers,

David

Great - glad to hear a fix is in the works.

Will we need to make any changes to the phpSmug OAuth procedures?

OAuth is live again, at this point no changes are required.

However, I'm currently reviewing the OAuth 1.0 Rev A (Draft 1) spec (http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/1/oauth-core-1_0a.html), I'll most probably start implementing this new version with a view to release it once it's being signed off on by the community. After that, I will mostly probably run both specs in parallel for a period of time, then OAuth 1.0 will be deprecated.

Hope this help, cheers...

David

OAuth is live again, at this point changes are required.


Um, can you detail what these changes are? I use phpSmug, so I guess I'll have to wait until that developer makes the appropriate changes on his end.

But if I'm feeling ambitious maybe I could take a look at the code.

Assuming I knew what to change.

My bad, that was meant to be no changes are required. Fixed my original post :)