开发者

OAuth automatic consent of trusted consumer key

开发者 https://www.devze.com 2023-03-12 06:21 出处:网络
I am writing a web app, \"B\", that interfaces through a REST API with another web app, \"A\", that I wrote and control.

I am writing a web app, "B", that interfaces through a REST API with another web app, "A", that I wrote and control. I wou开发者_高级运维ld like for a user that is logged into A to be able to perform actions on B that use the API to communicate with A. My best option looks like OAuth, but I want the experience to be seamless, and OAuth requires that the user consent before an access token is granted.

  1. Is OAuth a good solution for this situation? Is there a better alternative?
  2. If I do use OAuth, can I pre-authorize consent by trusting the Consumer Key?


You can do XAuth, which is an extension on OAuth. It uses the same principles of request / access tokens and secrets, but allows you to exchange a username / password combination for a access token.

We use it like:

  1. User logs in onto our iPhone app
  2. iPhone creates OAuth request token request, plus sends username + password over HTTPS
  3. Validate request (secrets etc., + username / password), generate request token, and exchange request token for access token. (This step is fully on the server, so the server does the exchanging).
  4. Access token is returned to the user
  5. iPhone app uses normal OAuth protocol + access token to communicate to server

Same way Twitter is doing it for apps that don't allow for an easy OAuth authentication page.


Eran Hammer-Lahav says,

The user should be in control of their resources, but if this is just a case of one provider spread over multiple domains, I see no harm in skipping granting access to a client which is essentially owned by the same entity.


Take a look at the oauth2 client credentials flow.

0

精彩评论

暂无评论...
验证码 换一张
取 消