I have a API that is ran on multiple sites. The user can register via multiple social logins on these client sites. The one I will speak of is Twitter. How can I authenticate on the client website and api website that is the actual user? I am doing the api call via Javascript which someone can visible see what to send to the api request. Even if they do see it I want to verify they are using the access token for that username, not a fake one they are trying to send. Do both sides need to know the consumer key and consumer开发者_Go百科 secret key to verify credentials? I have looking for the best possible workflow on how to do this during registration.
Have you considered utilizing something like JanRain Engage (http://www.janrain.com/products/engage) to provide your users with a simplified social login environment?
Disclaimer: I don't work for JanRain, just a fan of their products for simplification of social authentication.
I used a third party framework that calls verify credentials with the consumer key, consumer secret key, token access, and token access secret, and compare the userid of the result with the result in the request.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论