Clever Geek Handbook

Using OAuth ... I don't understand. What I should do?

Ok, so I am trying to use OAuth (not my choice) and I am not quite clear.

I want to access the API as a specific user. I think I need to get a token and then send it somehow ... but this is very strange. I read the documentation, I got a great concept, but I can't see how to use it.

Here is the data I have on the website I'm trying to connect with:

Consumer Key
Consumer Secret
Request Token URL
Access Token URL
Authorize Url

I have to admit I have absolutely no idea, so any pointer would help.

+2


source to share


1 answer


To get started, read http://oauth.net/core/1.0a which has everything you need to know (at least in terms of how it all fits together - your implementation will be what you write to use specification)

At a high level, the request flow would work something like this:

  • Make a request from your app to the provider request token url as defined by OAuth (this includes signing, generating a request signature hash, and including it as a parameter).
  • The provider sends back an unauthorized request token, which is the lifecycle nonce of the current oauth request.
  • Your app redirects the user to the provider's authorizer URL, where the provider authenticates the user directly (for example with a login form or validating a cookie in the user's browser for the provider's site), the provider may also ask the user to grant permission to grant access to your application for their user account
  • Assuming all goes well, the provider redirects the user back to the callback url you provided when you first sent the user to the provider for authentication - they also include the original request token in the url as well as a new single use the verification code which identifies that the request token has been authorized.
  • Your app then sends a request to the provider's access token URL, passing the request token, confirmation code, and signing the request again.
  • The provider then checks the request token you sent, making sure it was previously verified by the user, and checks if the verification code matches the one he sent back and that the request token hasn't been exchanged for an access token already. The provider then sends you a flamboyant new access token and a secret token for you to hang
  • Now you can actually access the provider's data - you connect to those web services that they expose and interact with - but you need to sign each request to prove who you are and that the user has an OKed app to act on their behalf on behalf of the supplier. Requests include normal OAuth parameters (including the access token) and are signed with the consumer secret and the token secret.


To get an access token, you only need to request / authorize / access once. Once you acquire this, you can hold on to it (even store it in your DB against the user) and reuse it for any future requests - until the provider decides that the token has expired or the user explicitly turns off access from your application to your profile from the supplier's site.

uh

(Yes, I know this is a mess, but there are libraries for most platforms that can handle most of the nagging work)

+4


source






More articles:


All Articles