This is simply an implementation of OAuth for session based authentication for external applications.
A typical step by step example that OAuth often talks about is a photo printing site that would like access to a Service Provider. This site would make a signed OAuth request in order to obtain an unauthorized Request Token at http://api.myspace.com/request_token. It would then navigate the user to the authorization page at http://api.myspace.com/authorization. After the user authenticates and grants the app permission they are then redirected back to the oauth_callback URL (provided in the original request to the authorization page). The consumer handles this redirect and then exchanges the Request token for a session based Access Token at: http://api.myspace.com/access_token. The consumer/external application can now use this token as the oauth_token in API requests for the user. There is a step by step example at: http://developer.myspace.com/Modules/APIs/Pages/AccessDelegationTool.asp x You must be logged in and have created an app on MySpace in order for this to work. You can create an app with gadget xml and choose amongst your apps in order to kick off the example workflow. ~Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Eaton Sent: Tuesday, April 01, 2008 11:01 PM To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: Restful APIs: Security On Tue, Apr 1, 2008 at 8:33 AM, Paul Walker <[EMAIL PROTECTED]> wrote: > 3. External app server to server requests > This context constitutes the requests that may be made by > external web site/desktop/device applications....the use cases well > outlined in the access delegation portion of the OAuth spec in which an > external application requires a session based oauth_token in order to > access a user's resources. The token contains the context of the > user/application/timestamp/and any additional non-standard permissions > the application may require. Some partners apps are able to skip the > first few steps and obtain the token directly if the user is logged in > as we will look for the auth cookie and provide them the token > immediately. Some applications have longer lived tokens upon request > and the user is able to grant a pseudo permanent token upon > authentication if they choose "Don't ask me again" as well as manage the > tokens given to external applications within MySpace. We have a demo of > this context on our developer site here: > http://developer.myspace.com/modules/apis/pages/accessdelegationtool.asp > x. I've read this a few times, and I have to admit I still don't understand it. Would you be willing to break this down a little further, maybe offer a step by step example? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OpenSocial and Gadgets Specification Discussion" group. To post to this group, send email to [EMAIL PROTECTED] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en -~----------~----~----~----~------~----~------~--~---
