Implementing OAuth 2.0 Authentication for My API

c# .net oauth-2.0 oauth-provider
16,983

Actually protocol flow diagrams would be extremely helpful for visualizing specs like that of OAuth 2 but there are only some partials works out there. As I've just implemented a client-side only OAuth 2 library, I can verify that you're on the right track. But here is a catch:

oauth_token belongs to your client application (i.e. a desktop facebook reader) which authenticates your application (just like an ID). You submit this to get back a access_token, which is specific to your application and logged in user, which allows you to access restricted resources related to the user.

Here is a basic desktop app authentication process (taken from: http://developers.gigya.com/020_Developer_Guide/85_REST/OAuth2)

REST OAuth 2.0

Actually a flow digram with timeline (from top to bottom, taken from: http://www.ibm.com/developerworks/web/library/wa-oauthsupport/?ca=drs-)

Protocol flow

And finally the full procedure is: (taken from http://h2anetwork.org/ProjectDocs/DPI/DPI_Framework.html)

OAuth protocol flow

Share:
16,983
nfplee
Author by

nfplee

Updated on June 17, 2022

Comments

  • nfplee
    nfplee almost 2 years

    I've been using the Facebook Graph API (uses oauth 2.0 for authentication) successfully for a while now. I now need to write my own API which allows developers to connect to it in a similar fashion. I've looked into various libraries but i'd like something a little leaner so i've decided to roll my own. Looking at the code i have to authenticate a user on facebook it looks relatively simple but please correct me if i'm going off track.

    First i would need to provide a secure page which the consumer would need to redirect to. eg https://api.mydomain.com/oauth/authorize?client_id=CONSUMER_KEY&redirect_url=CALLBACK_URL. The user would verify the application then i would redirect back to the url provided in the callback url with the oauth_token in the query string. I suppose i could just generate a random unique string here for the oauth_token and store it against the user for this particular consumer (EDIT: Please see the answer below, this should be unique for each consumer application and not the user).

    That's step 1 out the way. I now need to provide a second secure page which the consumer would trigger a web request to. eg https://api.mydomain.com/oauth/access_token?client_id=CONSUMER_KEY&client_secret=CONSUMER_SECRET&oauth_token=OAUTH_TOKEN_RETURNED_ABOVE. This would allow the consumer to exchange the oauth_token returned above for an access token. I would again simply generate a random unique string and store it against the user for this particular consumer.

    Now my API would accept the access_token for methods which try to grab information specific to the user who is using it.

    I'd like to know if i've understood things correctly. The OAuth 2.0 spec seems extremely trivial if that's the case. Also why do we have to exchange the oauth_token with an access_token? I have my own idea but i'd appreciate it if someone could help clarify this.

    I'd really appreciate your feedback as i don't wish to go ahead and waste hours implenting this when it's completely wrong.

    Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Return error on invalid or expired token
RestSharp OAuth2 Bearer Authentication Failing With Access Denied
How do I use a Service Account to Access the Google Analytics API V3 with .NET C#?
SMTP and OAuth 2
Using SQL Server with Dart
Visual Studio Project Backup
Copy/paste cells in Excel with C#
Cannot convert from 'string' to 'System.Net.Http.HttpRequestMessage'
Unable to load DLL: The specified module could not be found
google calendar api server application