MVC based API - how to implement OAuth?

Question

I have been trying for hours now to get OAuth working on with an API that I am working on, and obviously my approach must be wrong, because I constantly hit dead ends.

What I have got:
- An API that is implemented in .NET MVC, which returns a data result as either XML or JSON.
- It requires an API Key to be able to use the API.
- A website (X) as backend for managing the API keys.
- Another website (Y) with loads of data which this API extracts data from.

What I am supposed to get:
- The ability to let the API Keys access data on users from the website (Y), if they allow it themselves via OAuth (1.0A).

What I have tried:
- So far, my approach has been to use the DotNetOpenAuth library, but it is almost all about how to implement OpenId, and some classes in the OAuth namespace even seem hardcoded towards OpenId functionality. So I have been trying to see what is going on in the examples that are using OpenId, and see if I can use parts of that to implement OAuth without OpenId.
- Various approaches includes, on the server side, to read an "UnauthorizedTokenRequest" and return it via calling the ServiceProvider.Channel.PrepareResponse(unauthorizedTokenRequest).AsActionResult(), which for some reason tries to add two values of nonce and timestamp to the response which crashes, and skipping that, it still returns a response that I am not able to read on the client end.

So I guess, my question really is:

1. Is there a guide/documentation that tells you what parts of the DotNetOpenAuth library I should be using on the server side, and when in the process they should be used, in order to implement OAuth on a MVC server that is not hardcoded to OpenId, as neither of the websites (X nor Y) supports OpenId?
2. Should I rather use another library if I am not going to use OpenId as DotNetOpenAuth seems to be focusing the most on?
3. Any other approaches that would fit my need better are very welcome.

Thank you in advance!
- Johny, Denmark

Answer 1

DotNetOpenAuth supports OpenID, OAuth, and InfoCard when used together and separately. It sounds like what you're building fits what the DotNetOpenAuth sample "OAuthServiceProvider" is demonstrating. True, that sample uses OpenID to log users in, but you can ignore the login.aspx page in the sample completely and thus be completely separated from OpenID. Using OAuth without OpenID is totally supported.

The couple of OpenID related methods in the OAuth classes is merely to support the "OpenID+OAuth" extension of OpenID, which doesn't apply to your situation so you can ignore them.

Regarding your twice added nonce issue that you saw, sometimes it happens that the Service Provider inappropriately has two modules validating incoming OAuth requests, each validating the nonce and thus the second module always rejects every request. You might check if that is causing your problem. Otherwise see if the unchanged sample works for you, and if so, compare what it does against what you're doing to see what might be going wrong. Activating logging also frequently helps.