I've been using the Facebook Graph API (uses oauth 2.0 for authentication) successfully for a while now. I now need to write my own API which allows developers to connect to it in a similar fashion. I've looked into various libraries but i'd like something a little leaner so i've decided to roll my own. Looking at the code i have to authenticate a user on facebook it looks relatively simple but please correct me if i'm going off track.
First i would need to provide a secure page which the consumer would need to redirect to. eg https://api.mydomain.com/oauth/authorize?client_id=CONSUMER_KEY&redirect_url=CALLBACK_URL. The user would verify the application then i would redirect back to the url provided in the callback url with the oauth_token in the query string. I suppose i could just generate a random unique string here for the oauth_token and store it against the user for this particular consumer (EDIT: Please see the answer below, this should be unique for each consumer application and not the user).
That's step 1 out the way. I now need to provide a second secure page which the consumer would trigger a web request to. eg https://api.mydomain.com/oauth/access_token?client_id=CONSUMER_KEY&client_secret=CONSUMER_SECRET&oauth_token=OAUTH_TOKEN_RETURNED_ABOVE. This would allow the consumer to exchange the oauth_token returned above for an access token. I would again simply generate a random unique string and store it against the user for this particular consumer.
Now my API would accept the access_token for methods which try to grab information specific to the user who is using it.
I'd like to know if i've understood things correctly. The OAuth 2.0 spec seems extremely trivial if that's the case. Also why do we have to exchange the oauth_token with an access_token? I have my own idea but i'd appreciate it if someone could help clarify this.
I'd really appreciate your feedback as i don't wish to go ahead and waste hours implenting this when it's completely wrong.
Thanks
Its really good in building API based request. For your question: If you are building just a basic API, with simple GET and POST requests, then you might want to ask yourself if the data that you are displaying or manipulating requires "security". If not then most likely, you don't need to implement OAuth.
Generating HERE OAuth Credentials To make HERE OAuth API requests, you will need to generate an “access token”. To generate access tokens, you will first need to generate HERE OAuth Credentials from the developer.here.com portal. Go to developer.here.com and login with your credentials.
OAuth is an authorization framework that enables an application or service to obtain limited access to a protected HTTP resource. To use REST APIs with OAuth in Oracle Integration, you need to register your Oracle Integration instance as a trusted application in Oracle Identity Cloud Service.
Actually protocol flow diagrams would be extremely helpful for visualizing specs like that of OAuth 2 but there are only some partials works out there. As I've just implemented a client-side only OAuth 2 library, I can verify that you're on the right track. But here is a catch:
oauth_token belongs to your client application (i.e. a desktop facebook reader) which authenticates your application (just like an ID). You submit this to get back a access_token, which is specific to your application and logged in user, which allows you to access restricted resources related to the user.
Here is a basic desktop app authentication process (taken from: http://developers.gigya.com/020_Developer_Guide/85_REST/OAuth2)
Actually a flow digram with timeline (from top to bottom, taken from: http://www.ibm.com/developerworks/web/library/wa-oauthsupport/?ca=drs-)
And finally the full procedure is: (taken from http://h2anetwork.org/ProjectDocs/DPI/DPI_Framework.html)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With