Simon Willison's Weblog: oauth

Quoting Kenton Varda

2025-11-08T22:04:45+00:00

The big advantage of MCP over OpenAPI is that it is very clear about auth. [...]

Maybe an agent could read the docs and write code to auth. But we don't actually want that, because it implies the agent gets access to the API token! We want the agent's harness to handle that and never reveal the key to the agent. [...]

OAuth has always assumed that the client knows what API it's talking to, and so the client's developer can register the client with that API in advance to get a client_id/client_secret pair. Agents, though, don't know what MCPs they'll talk to in advance.

So MCP requires OAuth dynamic client registration (RFC 7591), which practically nobody actually implemented prior to MCP. DCR might as well have been introduced by MCP, and may actually be the most important unlock in the whole spec.

— Kenton Varda

Tags: kenton-varda, security, oauth, model-context-protocol, generative-ai, ai, llms

Claude 3.7 Sonnet and Claude Code

2025-02-24T20:25:39+00:00

Claude 3.7 Sonnet and Claude Code

Anthropic released Claude 3.7 Sonnet today - skipping the name "Claude 3.6" because the Anthropic user community had already started using that as the unofficial name for their October update to 3.5 Sonnet.

As you may expect, 3.7 Sonnet is an improvement over 3.5 Sonnet - and is priced the same, at $3/million tokens for input and $15/m output.

The big difference is that this is Anthropic's first "reasoning" model - applying the same trick that we've now seen from OpenAI o1 and o3, Grok 3, Google Gemini 2.0 Thinking, DeepSeek R1 and Qwen's QwQ and QvQ. The only big model families without an official reasoning model now are Mistral and Meta's Llama.

I'm still working on adding support to my llm-anthropic plugin but I've got enough working code that I was able to get it to draw me a pelican riding a bicycle. Here's the non-reasoning model:

And here's that same prompt but with "thinking mode" enabled:

Here's the transcript for that second one, which mixes together the thinking and the output tokens. I'm still working through how best to differentiate between those two types of token.

Claude 3.7 Sonnet has a training cut-off date of Oct 2024 - an improvement on 3.5 Haiku's July 2024 - and can output up to 64,000 tokens in thinking mode (some of which are used for thinking tokens) and up to 128,000 if you enable a special header:

Claude 3.7 Sonnet can produce substantially longer responses than previous models with support for up to 128K output tokens (beta)---more than 15x longer than other Claude models. This expanded capability is particularly effective for extended thinking use cases involving complex reasoning, rich code generation, and comprehensive content creation.

This feature can be enabled by passing an anthropic-beta header of output-128k-2025-02-19.

Anthropic's other big release today is a preview of Claude Code - a CLI tool for interacting with Claude that includes the ability to prompt Claude in terminal chat and have it read and modify files and execute commands. This means it can both iterate on code and execute tests, making it an extremely powerful "agent" for coding assistance.

Here's Anthropic's documentation on getting started with Claude Code, which uses OAuth (a first for Anthropic's API) to authenticate against your API account, so you'll need to configure billing.

Short version:

npm install -g @anthropic-ai/claude-code
claude

It can burn a lot of tokens so don't be surprised if a lengthy session with it adds up to single digit dollars of API spend.

Tags: cli, oauth, ai, generative-ai, llms, ai-assisted-programming, llm, anthropic, claude, ai-agents, pelican-riding-a-bicycle, llm-reasoning, llm-release, coding-agents, claude-code

GitHub OAuth for a static site using Cloudflare Workers

2024-11-29T18:13:18+00:00

GitHub OAuth for a static site using Cloudflare Workers

Here's a TIL covering a Thanksgiving AI-assisted programming project. I wanted to add OAuth against GitHub to some of the projects on my tools.simonwillison.net site in order to implement "Save to Gist".

That site is entirely statically hosted by GitHub Pages, but OAuth has a required server-side component: there's a client_secret involved that should never be included in client-side code.

Since I serve the site from behind Cloudflare I realized that a minimal Cloudflare Workers script may be enough to plug the gap. I got Claude on my phone to build me a prototype and then pasted that (still on my phone) into a new Cloudflare Worker and it worked!

... almost. On later closer inspection of the code it was missing error handling... and then someone pointed out it was vulnerable to a login CSRF attack thanks to failure to check the state= parameter. I worked with Claude to fix those too.

Useful reminder here that pasting code AI-generated code around on a mobile phone isn't necessarily the best environment to encourage a thorough code review!

Tags: csrf, github, oauth, projects, security, tools, ai, cloudflare, generative-ai, llms, ai-assisted-programming

Grant Negotiation and Authorization Protocol (GNAP)

2024-10-14T05:22:15+00:00

Grant Negotiation and Authorization Protocol (GNAP)

RFC 9635 was published a few days ago. GNAP is effectively OAuth 3 - it's a newly standardized design for a protocol for delegating authorization so an application can access data on your behalf.

The most interesting difference between GNAP and OAuth 2 is that GNAP no longer requires clients to be registered in advance. With OAuth the client_id and client_secret need to be configured for each application, which means applications need to register with their targets - creating a new application on GitHub or Twitter before implementing the authorization flow, for example.

With GNAP that's no longer necessary. The protocol allows a client to provide a key as part of the first request to the server which is then used in later stages of the interaction.

GNAP has been brewing for a long time. The IETF working group was chartered in 2020, and two of the example implementations (gnap-client-js and oauth-xyz-nodejs) last saw commits more than four years ago.

Via lobste.rs

Tags: oauth, rfc, security

OAuth from First Principles

2024-09-05T22:43:40+00:00

OAuth from First Principles

Rare example of an OAuth explainer that breaks down why each of the steps are designed the way they are, by showing an illustrative example of how an attack against OAuth could work in absence of each measure.

Ever wondered why OAuth returns you an authorization code which you then need to exchange for an access token, rather than returning the access token directly? It's for an added layer of protection against eavesdropping attacks:

If Endframe eavesdrops the authorization code in real-time, they can exchange it for an access token very quickly, before Big Head's browser does. [...] Currently, anyone with the authorization code can exchange it for an access token. We need to ensure that only the person who initiated the request can do the exchange.

Via Hacker News

Tags: oauth, security

Musing about OAuth and LLMs on Mastodon

2024-08-24T00:29:47+00:00

Musing about OAuth and LLMs on Mastodon

Lots of people are asking why Anthropic and OpenAI don't support OAuth, so you can bounce users through those providers to get a token that uses their API budget for your app.

My guess: they're worried malicious app developers would use it to trick people and obtain valid API keys.

Imagine a version of my dumb little write a haiku about a photo you take page which used OAuth, harvested API keys and then racked up hundreds of dollar bills against everyone who tried it out running illicit election interference campaigns or whatever.

I'm trying to think of an OAuth API that dishes out tokens which effectively let you spend money on behalf of your users and I can't think of any - OAuth is great for "grant this app access to data that I want to share", but "spend money on my behalf" is a whole other ball game.

I guess there's a version of this that could work: it's OAuth but users get to set a spending limit of e.g. $1 (maybe with the authenticating app suggesting what that limit should be).

Here's a counter-example from Mike Taylor of a category of applications that do use OAuth to authorize spend on behalf of users:

I used to work in advertising and plenty of applications use OAuth to connect your Facebook and Google ads accounts, and they could do things like spend all your budget on disinformation ads, but in practice I haven't heard of a single case. When you create a dev application there are stages of approval so you can only invite a handful of beta users directly until the organization and app gets approved.

In which case maybe the cost for providers here is in review and moderation: if you’re going to run an OAuth API that lets apps spend money on behalf of their users you need to actively monitor your developer community and review and approve their apps.

Tags: oauth, openai, llms, anthropic

Oh-Auth - Abusing OAuth to take over millions of accounts

2023-10-26T15:51:20+00:00

Oh-Auth - Abusing OAuth to take over millions of accounts

Describes an attack against vulnerable implementations of OAuth.

Let’s say your application uses OAuth against Facebook, and then takes the returned Facebook token and gives it access to the user account with the matching email address passed in the token from Facebook.

It’s critical that you also confirm the token was generated for your own application, not something else. Otherwise any secretly malicious app online that uses Facebook login could take on of their stored tokens and use it to hijack an account of your site belonging to that user’s email address.

Via Hacker News

Tags: oauth, security

Weeknotes: datasette-auth0

2022-03-28T04:40:42+00:00

Datasette 0.61, a Twitter Space and a new Datasette plugin for authenticating against Auth0.

datasette-auth0

I've been figuring out how best to integrate with Auth0 for account management and sign-in, for a project I'm working on with Natalie.

I used Auth0 for VIAL with Vaccinate CA last year, following the Auth0 Django tutorial using Python Social Auth.

This time I decided to try and do it from first principles rather than use a library, for reasons I discussed in this Twitter thread.

It turns out Auth0 is using regular OAuth 2, which can be implemented from scratch in just three steps:

Generate a URL to a page on Auth0 that will display the login screen
Implement a page that handles the redirect back from Auth0, which needs to exchange the code from the ?code= parameter for an access token by POSTing it to an authenticated API endpoint
Use that access token to retrieve the authenticated user's profile

I wrote up the steps in this TIL: Simplest possible OAuth authentication with Auth0

Since it turned out to be pretty straight-forward, I turned it into a new authentication plugin for Datasette: datasette-auth0.

You can try that out with the live demo at datasette-auth0-demo.datasette.io - click on the top right menu icon and select "Sign in with Auth0".

The live demo is deployed automatically any time a push to the main branch passes its tests. I've implemented this pattern a few times now, so I wrote it up in another TIL: Deploying a live Datasette demo when the tests pass.

Datasette 0.61.0 (and 0.61.1)

I wrote about these in the annotated weeknotes. They were pretty significant releases, representing 86 commits since 0.60.2 released back in January.

New features as documentation

Some of my favourite feature requests for my projects are ones that can be solved by documentation. I had a great example of that this week.

In #420: Transform command with shared context Mehmet Sukan wanted a way to speed up the following operation using sqlite-utils insert --convert - described in What’s new in sqlite-utils 3.20 and 3.21:

cat items.json | jq '.data' | sqlite-utils insert listings.db listings - --convert '
d = enchant.Dict("en_US")
row["is_dictionary_word"] = d.check(row["name"])
' --import=enchant --ignore

The --convert option lets you specify Python code that will be executed against each inserted item. Mehmet's problem was that the enchant.Dict("en_US") operation is quite expensive, and it was being run every time around the loop.

I started looking into ways to speed this up... and realized that there was already a mechanism for doing this, but it was undocumented and I hadn't previously realized it was even possible!

The recipe that works looks like this:

echo '[
  {"name": "notaword"},
  {"name": "word"}
]' | python3 -m sqlite_utils insert listings.db listings - --convert '
import enchant
d = enchant.Dict("en_US")

def convert(row):
    global d
    row["is_dictionary_word"] = d.check(row["name"])
'

The result:

% sqlite-utils rows listings.db listings        
[{"name": "notaword", "is_dictionary_word": 0},
 {"name": "word", "is_dictionary_word": 1}]

This takes advantage of a feature of the sqlite-utils Python snippet mechanism, which is implemented here. It first attempts exec() against the provided code to see if it defined a convert(value) function - if that fails, it composes a function body (to cover simple expressions like row["ok"] = True).

So I got to close the issue by adding some documentation showing how to do this!

Another, smaller example this week: when I figured out Extracting web page content using Readability.js and shot-scraper I learned that Playwright can accept and execute async () => {...} functions, enabling this pattern:

shot-scraper javascript https://simonwillison.net/2022/Mar/24/datasette-061/ "
async () => {
  const readability = await import('https://cdn.skypack.dev/@mozilla/readability');
  return (new readability.Readability(document)).parse();
}"

So I added that pattern to the shot-scraper documentation.

SQLite Happy Hour Twitter Space

I hosted my first Twitter Space. The recording and notes can be found in SQLite Happy Hour—a Twitter Spaces conversation about three interesting projects building on SQLite.

I also learned how to download the audio of a Twitter Spaces in two different ways, as documented in my TIL on Exporting and editing a Twitter Spaces recording.

Releases this week

datasette-auth0: 0.1 - 2022-03-27
Datasette plugin that authenticates users using Auth0
datasette-packages: 0.1.1 - (2 releases total) - 2022-03-25
Show a list of currently installed Python packages
datasette-hashed-urls: 0.4 - (5 releases total) - 2022-03-24
Optimize Datasette performance behind a caching proxy
datasette: 0.61.1 - (110 releases total) - 2022-03-23
An open source multi-tool for exploring and publishing data
datasette-publish-vercel: 0.13 - (20 releases total) - 2022-03-20
Datasette plugin for publishing data using Vercel

TIL this Weeknotes

Tags: oauth, datasette, weeknotes, sqlite-utils

Get your own Pocket OAuth token

2019-10-05T21:56:38+00:00

Get your own Pocket OAuth token

I hate it when APIs make you jump through extensive hoops just to get an access token for pulling data directly from your own personal account. I’ve been playing with the Pocket API today and it has a pretty complex OAuth flow, so I built a tiny Flask app on Glitch which helps go through the steps to get an API token for your own personal Pocket account.

Via Source code for your-pocket-oauth-token.glitch.me

Tags: glitch, mozilla, oauth

datasette-auth-github

2019-07-08T04:28:17+00:00

datasette-auth-github

My first big ASGI plugin for Datasette: datasette-auth-github adds the ability to require users to authenticate against the GitHub OAuth API. You can whitelist specific users, or you can restrict access to members of specific GitHub organizations or teams. While it’s structured as a Datasette plugin it also includes ASGI middleware which can be applied to any ASGI application.

Via @simonw

Tags: github, oauth, projects, datasette, asgi

python-twitter/get_access_token.py

2018-10-28T17:25:46+00:00

python-twitter/get_access_token.py

Creating an OAuth token for accessing a specific Twitter account is way harder than it needs to be. I was about to write my own command-line script for doing this using PIN-based authentication (where you pop open a browser showing the Twitter login flow, then get a PIN number at the end which you paste back into your script) when I discovered that the python-twitter library already ships with a script to do exactly that. Just run “python get_access_token.py”, paste in your app’s consumer key and secret, follow a link, enter the resulting PIN and the script will spit out the consumer_key / consumer_secret / access_token_key / access_token_secret combo you need to start using the Twitter API.

Tags: oauth, twitter

What are some scalable OAuth and OpenID server implementations?

2010-12-05T18:34:00+00:00

My answer to What are some scalable OAuth and OpenID server implementations? on Quora

Any OAuth library should scale horizontally - I can't see how any one library would be a better choice than another.

Tags: apis, oauth, openid, servers, web-development, quora

How do you correctly send the oauth_verifier parameter using python-oauth2 and the Twitter API?

2010-12-05T17:11:00+00:00

My answer to How do you correctly send the oauth_verifier parameter using python-oauth2 and the Twitter API? on Quora

This seems relevant: http://groups.google.com/group/t...

Aha! I think I've solved it. Twitter doesn't send the oauth_verifier argument unless you specify an oauth_callback when requesting the request token.

Here's a related discussion:

https://github.com/simplegeo/pyt...

So, my solution was to use this:

resp, content = client.request(request_token_url, "POST",
body = 'oauth_callback=http://lanyrd.com/twitter/done/'
)

And then later, in my callback function:

if 'oauth_verifier' in request.GET:
token.set_verifier(request.GET['oauth_verifier'])

Tags: oauth, twitter, quora

Are there any well-known websites that use Facebook connect or Twitter OAuth as the only sign-in solution without its own sign-in password?

2010-12-05T13:27:00+00:00

My answer to Are there any well-known websites that use Facebook connect or Twitter OAuth as the only sign-in solution without its own sign-in password? on Quora

Our site http://lanyrd.com/ only accepts Twitter OAuth logins (at least for the moment).

Tags: facebook, oauth, twitter, quora

RasterWeb: Lanyrd

2010-08-31T20:49:00+00:00

RasterWeb: Lanyrd

Pete Prodoehl calls me out on Lanyrd’s integration with the Twitter auth API at the expense of OpenID. I’ve posted a comment with my justification—essentially, tying to Twitter’s ecosystem means I can actually implement the features I’ve been talking about building on top of OpenID for years, with far less engineering effort.

Tags: identity, oauth, openid, twitter, recovered, pete-prodoehl

simplegeo's python-oauth2

2010-07-18T17:22:00+00:00

simplegeo's python-oauth2

The Python OAuth library scene is frighteningly complicated at the moment. This seems to be the most actively maintained, and the readme includes working example code for talking to the Twitter API (including integration with Django auth).

Tags: django, oauth, python, twitter, recovered, simplegeo, oauth2

App Engine at Google I/O 2010

2010-05-20T15:30:00+00:00

App Engine at Google I/O 2010

OpenID and OAuth are now baked in to the AppEngine users API. They’re also demoing two very exciting new features—a mapper API for doing map/reduce style queries against the data store, and a Channel API for building comet applications.

Tags: comet, google, google-app-engine, mapreduce, oauth, openid, google-io, recovered

RFC5785: Defining Well-Known Uniform Resource Identifiers

2010-04-11T19:32:28+00:00

RFC5785: Defining Well-Known Uniform Resource Identifiers

Sounds like a very good idea to me: defining a common prefix of /.well-known/ for well-known URLs (common metadata like robots.txt) and establishing a registry for all such files. OAuth, OpenID and other decentralised identity systems can all benefit from this.

Via Mark Nottingham

Tags: oauth, openid, rfc, robots-txt, urls, wellknownurls

OpenID: Now more powerful and easier to use!

2009-09-25T21:08:21+00:00

OpenID: Now more powerful and easier to use!

The OpenID+OAuth hybrid protocol (where a user can sign in with OpenID and grant an application access to their OAuth protected resources such as a contact list at the same time) is now supported by Google, Yahoo! and MySpace—this feels like OpenID finally coming of age.

Tags: google, hybrid, identity, myspace, oauth, openid, yahoo

Exploring OAuth-Protected APIs

2009-08-23T11:06:42+00:00

Exploring OAuth-Protected APIs

One of the downsides of OAuth is that it makes debugging APIs in your browser much harder. Seth Fitzsimmons’ oauth-proxy solves this by running a Twisted-powered proxy on your local machine which OAuth-signs every request going through it using your consumer key, secret and tokens for that API. Using it with a browsers risks exposing your key and token (but not secret) to sites you accidentally browse to—it would be useful if you could pass a whitelist of API domains as a command line option to the proxy.

Tags: apis, oauth, proxies, python, seth-fitzsimmons, twisted

Why an OAuth iframe is a Great Idea

2009-07-16T20:29:18+00:00

Why an OAuth iframe is a Great Idea

Because users should a) learn to be phished and b) not even be given the option to avoid being phished if they know what they’re doing? No, no and thrice no. If you want to improve the experience, use a popup window so the user can still see the site they are signing in to in the background.

Tags: iframes, oauth, phishing, security

Teaching users to be secure is a shared responsibility

2009-07-16T20:04:45+00:00

Ryan Janssen: Why an OAuth iframe is a Great Idea.

The reason the OAuth community prefers that we open up a new window is that if you look at the URL in the window (the place you type in a site’s name), you would see that it says www.netflix.com* and know that you are giving your credentials to Netflix.

Or would you? I would! Other technologists would! But would you? Would you even notice? If you noticed would you care? The answer for the VAST majority of the world is of course, no. In fact to an average person, getting taken to an ENTIRELY other site with some weird little dialog floating in a big page is EXTREMELY suspicious. The real site you are trusting to do the right thing is SetJam (not weird pop-up window site).

I posted a reply comment on that post, but I'll replicate it in full here:

Please, please don't do this.

As web developers we have a shared responsibility to help our users stay safe on the internet. This is becoming ever more important as people move more of their lives online.

It's an almost sisyphean task. If you want to avoid online fraud, you need to understand an enormous stack of technologies: browsers, web pages, links, URLs, DNS, SSL, certificates... I know user education is never the right answer, but in the case of the Web I honestly can't see any other route.

The last thing we need is developers making the problem worse by encouraging unsafe behaviour. That was the whole POINT of OAuth - the password anti-pattern was showing up everywhere, and was causing very real problems. OAuth provides an alternative, but we still have a long way to go convincing users not to hand their password over to any site that asks for it. Still, it's a small victory in a much bigger war.

If developers start showing OAuth in an iframe, that victory was for nothing - we may as well not have bothered. OAuth isn't just a protocol, it's an ambitious attempt to help users understand the importance of protecting their credentials, and the fact that different sites should be granted different permissions with regards to accessing their stuff. This is a difficult but critical lesson for users to learn. The only real hope is if OAuth, implemented correctly, spreads far enough around the Web that people start to understand it and get a feel for how it is meant to work.

By implementing OAuth in an iframe you are completely undermining this effort - and in doing so you're contributing to a tragedy of the commons where selfish behaviour on the behalf of a few causes problems for everyone else. Even worse, if the usability DOES prove to be better (which wouldn't be surprising) you'll be actively encouraging people to implement OAuth in an insecure way - your competitors will hardly want to keep doing things the secure way if you are getting higher conversion rates than they are.

So once again, please don't do this.

I hope my argument is convincing. In case it isn't, I'd strongly suggest that any sites offering OAuth protected APIs add frame-busting JavaScript to their OAuth verification pages. Thankfully, in this case there's a technical option for protecting the commons.

Update: It turns out Netflix already use a frame-busting script on their OAuth authentication page.

Tags: education, framebusting, iframes, oauth, phishing, responsibility, security

oauth-signpost

2009-05-07T07:33:00+00:00

oauth-signpost

The Qype API uses OAuth to sign client requests with the developer’s API key, so it’s not surprising to see them release a Java OAuth signing library compatible with Google’s Android mobile platform.

Tags: android, api-keys, java, oauth, qype

django-piston

2009-04-30T19:55:15+00:00

django-piston

Promising looking Django mini-framework for creating RESTful APIs, from the bitbucket team. Ticks all of Jacob’s boxes, even including built-in pluggable authentication support with HTTP Basic, Digest and OAuth out of the box.

Tags: apis, authentication, bitbucket, digest, django, jespernoehr, oauth, piston, python, rest, restful

Sign in with Twitter

2009-04-20T04:10:33+00:00

Sign in with Twitter

Intriguing: Twitter are now an OpenID-style identity provider... using OAuth.

Tags: oauth, openid, twitter

Quoting Blaine Cook

2009-01-06T09:37:59+00:00

As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter's admin interface.

— Blaine Cook

Tags: oauth, twitter, security

Quoting Alex Payne

2009-01-05T10:47:41+00:00

The username/password key's major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That's a benefit, to be sure, but in Twitter's case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.

— Alex Payne

Tags: phishing, alex-payne, oauth, security, twitter

Antipatterns for sale

2009-01-02T10:48:17+00:00

Antipatterns for sale

Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder.

Tags: jeremy-keith, oauth, passwordantipattern, passwords, security, sitepoint, twitter

Now You Can Sign Into Friend Connect Sites With Your Twitter ID

2008-12-15T17:20:08+00:00

Now You Can Sign Into Friend Connect Sites With Your Twitter ID

Great. Now even Google is asking me for my Twitter password. Slow clap. How’s that Twitter OAuth beta coming along?

Tags: google, oauth, passwordantipattern, security, twitter

Skillswap goes Portable

2008-11-21T10:25:56+00:00

Skillswap goes Portable

Skillswap Brighton will be addressing OAuth and Data Portability on Wednesday. I’m annoyed to be missing it.

Tags: brighton, data-portability, events, oauth, skillswap