i looking using oauth secure web services. oauth 2 fits nicely use cases have user might access his/her own data using api's or grant access call api's on behalf.
however, initial set of api users not technical , not want go through effort of making api calls generate tokens. thinking of implementing following solution not sure if right way.
if user developer, then
- have screen he/she can register application. generate api key/secret pair.
- to access his/her own data (for 2 legged auth) have ui screen user can generate access token 1 registered applications. can specify scopes , duration in form.
- if 3rd party developer, needs pass applications api key person on behalf needs access api , access token in exchange.
if user wants application/developer access api's on behalf then
- have screen can enter third party's api key, scopes , duration of authorization. can pass generated access token developer who'll access api's
i going use same oauth libraries generate token have used if had gone web service route. further, can develop services whenever current situation doesn't scale or need arises , existing tokens still work.
the problem 1 of security. design, duration of access token should not set client. if else gets know access token , client id during duration, user's account compromised. duration set not long , second secret value refresh token used refresh current access token. token refreshing can automated in code, in approach need done manually.
Comments
Post a Comment