I have a google app engine project and i want to make my REST API available to third parties. Like twitter API.
Twitter requests the user and password to be sent so thet they can be authorized - can i do this with google user accounts?
I have read somewhere on this site this is not a prefered method as thei开发者_JS百科r credentials are entered into a thirdparty app/passed etc.
I dont want to over complicate and redirect them to a googles own login/captcha and so on. I have seen a implementation of this - also with desktop/phone/widgets this may not even work.
Is a solution for a third party apps to call my service - the app calls a page on my site (which asks for login - i just add login rights) the user then logs in and my app then creates a long token that is then passed back to third party app which then stores this in their own repository and pass it as a Token arg in the post/put/delete request. My REST service then checks the token and against a lookup (token|user key) pairs and allows/rejects the method call.
I could also ask the app for their domain? and store this too. I guess i can read the url of the request on the REST service and check they match etc?
Is this a reasonable solution or am i living in the 90's?
OAuth was created with this situation in mind. It's a specification for the sort of auth-token scheme you just described, and it's reasonably widespread these days.
For balance, see this recent StackOverflow thread.
精彩评论