I'm a bit confused as well. So, does that mean the first request is made to get request token and secret, and that's it?
no need to do authorization and another post to get access token? that every request that we sign with first token and secret that's given to us but leaving access token field empty in our data source? thx, kelvin On Jun 23, 11:41 am, Josh Roesslein <[email protected]> wrote: > On Tue, Jun 23, 2009 at 10:48 AM, ngw <[email protected]> wrote: > > > Hi *, I'm trying to figure out how to implement OAuth for my own site, > > and something is still not completely clear. > > For example, I need to authenticate a certain class of users (site > > administrators) for a management interface. These users can see every > > kind of data and have read/write permissions on basically everything. > > Obviously, authentication and authorization is critical. > > This interface should basically authenticate against the main site > > with username and password and check for a given flag. > > > If I understood OAuth correctly the workflow is > > 1) The user points to foo.bar.com > > 2) foo.bar.com contacts bar.com and asks the user to login in case the > > user isn't > > 3) in case the credentials are right bar.com asks the user if the > > application foo.bar.com can use his data, in case the credentials are > > wrong the user is redirected to a bar.com page > > 4) foo.bar.com queries the account of the user and checks if he is an > > administrator > > What you describe here is a three legged flow. The two legged flow does not > perform an user > authentication with the SP. Instead we are just authenticating the consumer > with the SP. This consumer can represent > a single user or many, but to the SP its just one user. The consumer > authenticates with the SP by signing each > request with its shared secrete. The SP detects a two legged request by the > missing access token. It must then > verify the signature and identify the "user" by the consumer token. Two > legged is a good approach to use for instances where you don't care who the > user is or if the consumer is just a single user (ex. desktop app). > > > Another question I have is what happens when the user connects after > > some time, is he already authenticated or it's just a matter to set > > some kind of expiration time for the token ? > > With two legged the session would remain open until the SP disables the > consumer's secrete. > With three legged its up to the SP when to expire the access token. > > I hope this helps clear things up for you. Good luck. > > Josh --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
