I am writing a web app, "B", that interfaces through a REST API with another web app, "A", that I wrote and control. I wou开发者_高级运维ld like for a user that is logged into A to be able to perform actions on B that use the API to communicate with A. My best option looks like OAuth, but I want the experience to be seamless, and OAuth requires that the user consent before an access token is granted.
- Is OAuth a good solution for this situation? Is there a better alternative?
- If I do use OAuth, can I pre-authorize consent by trusting the Consumer Key?
You can do XAuth, which is an extension on OAuth. It uses the same principles of request / access tokens and secrets, but allows you to exchange a username / password combination for a access token.
We use it like:
- User logs in onto our iPhone app
- iPhone creates OAuth request token request, plus sends username + password over HTTPS
- Validate request (secrets etc., + username / password), generate request token, and exchange request token for access token. (This step is fully on the server, so the server does the exchanging).
- Access token is returned to the user
- iPhone app uses normal OAuth protocol + access token to communicate to server
Same way Twitter is doing it for apps that don't allow for an easy OAuth authentication page.
Eran Hammer-Lahav says,
The user should be in control of their resources, but if this is just a case of one provider spread over multiple domains, I see no harm in skipping granting access to a client which is essentially owned by the same entity.
Take a look at the oauth2 client credentials flow.
精彩评论