4

I'm interested in developing a RESTful JSON data API using Sinatra, and have an HTML5/JS app consume that data API. Obviously the data API needs some form of authentication so that user Joe can only access his own stuff via the API. It would be nice if I could not roll my own authentication, and instead rely on Google/Facebook/Twitter to be the identity provider.

I've looked into OAuth2 using Omniauth and I can wire that up easily enough for traditional web apps, but when talking about securing the JSON API using FB/Twitter/Google, my understanding breaks down because:

  • The API shouldn't really be the thing doing the redirects for the OAuth2 flow, should it?
  • When the callback data from an identity provider comes through, it'd probably hit the HTML/JS app, right?

A further kink would be if I ever wanted to provide 3rd party developers API access via non-web mechanisms; the OAuth2 redirect flow business certainly wouldn't work here.

So all told, I'd have an architecture that looks like this:

[ HTML/JS client ] --- [ JSON API  ]       [ FB/Twitter/Google ]
                            |
                            |
                       [ Developer ]

In effect, what I'm after is what's here, except this is for Rails only:

Any pointers for doing this with Sinatra? Please use some specific examples.

dreadwail
  • 15,098
  • 21
  • 65
  • 96
  • Write what you have done and where you stuck. Simply asking how to integrate sso-devise-omniauh-provider into Sinatra is not enough. – andih Jun 25 '13 at 06:32

1 Answers1

0

Well you've sort of painted yourself into a corner. One premise of OAuth authentication is that there is a user who will take an action in an HTTP client (such as a web browser) to authenticate himself to the OAuth provider. If you want to provide 3rd party developers API access via non-web mechanisms then you cannot use that sort of authentication flow.

You need to follow the API Key pattern if you want to authenticate API clients that are not amenable to the interactive web-based authentication patterns. Somehow you need to generate API keys and hand them out to authorized 3rd party developers. Look at how Twitter, Facebook, and Google do it.

Old Pro
  • 24,624
  • 7
  • 58
  • 106
  • I don't think this is correct. OAuth has flows that do not involve users taking actions in a web browser. Look at the so called "2-legged" OAuth flows that just involve exchanging key/secret for a token. – dreadwail Jun 19 '13 at 07:13
  • @BenLakey, Yes, OAuth has flows that do not involve users taking actions, but these flows do not validate that the user making the request to the API is who they say they are. They would allow the Sinatra server to set up an account on Google and store user data in it, but the 2-legged flow would not validate that the Sinatra App's API caller is the user they are claiming to be. – Old Pro Jun 19 '13 at 09:07
  • Yes, I mean, obviously you'd have to check that the tokens you vend are for a particular user, but the question is more about the mechanical howto if you have users previously linked using Google/Facebook/Twitter via the standard 3-legged OAuth. Look at the linked solution to see what I'm getting after (It is however for Rails, and I'm interested in Sinatra). – dreadwail Jun 20 '13 at 04:14