Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Recommended database structure for OAuth Provider

I am implementing an OAuth Provider using DevDefined library.

I wonder if there is any recommended database structure for storing consumer and token data on the server side.

Any advice on this would be appreciated.

like image 349
B Faley Avatar asked Dec 26 '10 15:12

B Faley


People also ask

What is OAuth architecture?

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own ...

What is service provider in OAuth?

An OAuth service provider is defined with the oauthProvider element in the server. xml file. You can define an OAuth service provider by editing the server. xml file or by using the WebSphere® Application Server Development Tools for Liberty. This task describes how to define a minimal OAuth configuration.

What is OAuth client?

More specifically, OAuth is a standard that apps can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials.


1 Answers

NB: The answer below is applicable mostly to OAuth 1.0

I don't really know anything about the DevDefined library. But here is a non-technical description of the database design I ended up working with in my latest project, using an SQL database.

It should cover everything needed to follow the basic specification. I've tried to keep it down to an absolute minimum.

RequestTokens

  • token (I use an MD5 here, primary key)
  • consumerKey (the unique identifier for the consumer)
  • secret (SHA1)
  • createTime (timestamp)
  • callback

AccessTokens

  • token (MD5, primary key)
  • secret (SHA1)
  • consumerKey
  • userID (refers to the resource owner)
  • createTime

Consumers (registered third party applications)

  • consumerKey (MD5, primary key)
  • consumerSecret (SHA1)
  • userID (refers to the developer who registered the application, not unique)
  • description (a text to describe the application)
  • name (the name of the application)
  • callback

UsedNonces

  • nonce
  • timestamp

The handling of nonces was really the biggest design question for me. OAuth tells you to never allow the same nonce to be used with the same timestamp ever again. But that would make for an infinitely huge database. I think most providers batch away old nonces at least once in a while.

I routinely clear away nonces older than 5 minutes, based on the premise that all requests with a timestamp older than 5 minutes are rejected. I am slightly forgiving when checking timestamps, they need to be UTC and either not older than 5 minutes, and not ahead of my server time more than one minute.

like image 59
Jon Nylander Avatar answered Nov 01 '22 22:11

Jon Nylander