Fellowship One REST API - OAuth Security Update

FTProductDev — Thu, 23 Apr 2009 07:43:00 GMT

NOTE: THIS UPDATE ONLY CONCERNS THE FELLOWSHIP ONE RESTFUL API BETA OAUTH IMPLEMENTATION

Yesterday a minor security threat was discovered in the OAuth protocol.

The OAuth community is aggressively working on the issue and have released an advisory update on this on 4.23.2009 at 12:00 am PST. We have been in contact with them on the details of this issue. After a close look at the threat and considering the risks involved, we have determined that we will not suspend the use of OAuth in our API. Instead, we will immediately implement additional mechanisms to further protect against potential attack:

Shorten the request token life time
Require any 3rd Party application to have a registered callback
Require additional warnings and details on the token authorization pages to clearly explain the intent of the Consumer application

We take all security-related issues seriously. Although the REST API OAuth implementation is only available in a beta environment right now, we want to take mitigating actions.These changes to our OAuth Service Provider implementation will be deployed soon.

We purposely chose OAuth as our primary authentication mechanism because of the security and iron-clad structure it provides. We are even more encouraged by our choice in light of the quick response and reaction from the OAuth community. Since there are thousands of developers and applications behind this protocol, there are thousands of people behind our implementation.

We would like to thank Chris Messina, Eran Hammer-Lahav, and the rest of the OAuth community for being so transparent and quick to respond and collaborate to solve this issue.

Please do not hesitate to contact us directly with any concerns or questions that you may have: api [at] fellowshiptech.com

More information: see OAuth advisories updates

Nick Floyd
Integration Architect

Intelligent Design : Protocols

Fellowship One REST API - OAuth Security Update