0

I provide a developer API to a set of data, I want to add 2-legged oauth authentication so I can authenticate developers apps to use the api. Firstly is this the best solution, for this type of authentication?

Secondly, from an implementation/flow point of view, is my understanding correct:

  1. A random developer, goes to my site and uses a 'signup' page, which when submitted I generate them a api key and secret, that can be generated in anyway I wish.

  2. They then use an oauth library like the php one found here to sign their request with these credentials.

    $consumer = new OAuthConsumer('thegeneratedkey', 'thegeneratedsecret');

$sig_method = new OAuthSignatureMethod_HMAC_SHA1;

//use oauth lib to sign request
$req = OAuthRequest::from_consumer_and_token($consumer, null, "GET", 'http://mydonaim/api/', array('someapimethod', 'somevalue'));
$sig_method = new OAuthSignatureMethod_HMAC_SHA1();
$req->sign_request($sig_method, $consumer, null);//note: double entry of token
  1. My server then uses the oauth library to check the 'signature' of that request to authenticate the developer app.

$secret = 'secret'; // Ignore this line.

$secret = 'secret'; // Use the $_GET['oauth_consumer_key'] to find the secret in my system.
$consumer = new OAuthConsumer($_GET['oauth_consumer_key'], $secret);
$sig_method = new OAuthSignatureMethod_HMAC_SHA1;

$method = $_SERVER['REQUEST_METHOD'];
$uri = 'http://'.$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$sig = $_GET['oauth_signature'];    
$req = new OAuthRequest($method, $uri);

//token is null because we're doing 2-leg
$valid = $sig_method->check_signature( $req, $consumer, null, $sig );

Is this correct?

If so, does this authentication have to be done every time a request is made or can I generate a token of some kind to reduce the weight in each HTTP request from developer app to my api?

Gcoop
  • 3,372
  • 4
  • 26
  • 35

1 Answers1

1

Firstly is this the best solution, for this type of authentication?

OAuth is designed to allow applications to get user data from a third party service without knowing the user's credentials. As long as that's what you need to do, then OAuth is the right solution for you.

If so, does this authentication have to be done every time a request is made or can I generate a token of some kind to reduce the weight in each HTTP request from developer app to my api?

Both sets of Tokens/Secrets must be provided with every single API request and passed into your OAuth library for authentication. This is how OAuth works. You should not add yet another token into the process, as that would only make things even more complicated, and it would confuse the crap out of any poor developer that finally got OAuth.

Remember, the key sets exist so you can revoke access to an entire application, and so users can do the same, assuming you give them an interface to do so. Both sets are included with each request so your application can check them for validity.

Don't worry about the "weight" of an HTTP request unless you've performed benchmarking and profiling and have determined that the size of requests is something you need to work on. I can pretty much guarantee that it's a non-issue.

Charles
  • 50,943
  • 13
  • 104
  • 142
  • thanks for the answer when you say "OAuth is designed to allow applications to get user data from a third party service without knowing the user's credentials." are you not specifically talking about 3-legged oauth? – Gcoop Mar 13 '11 at 16:49
  • I am indeed speaking specifically about plain old normal "3-legged" OAuth. – Charles Mar 13 '11 at 16:58
  • 1
    for everyone who stumbled on this question and wondering where to find the full code. http://developer.yahoo.com/blogs/ydn/posts/2010/04/a_twolegged_oauth_serverclient_example/ – carbonr Mar 05 '12 at 06:13