In my current work, I have to develop an intern REST API engine. I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec. There is only one point that I dont really know how to overcome : the security problem. Again, I documented myself, and I wanted to use OAuth2.0 in my engine. The problem is that I dont understand nothing at all how to use this protocol. I dont understand how the consumer can connect himself and be recognized by the server. I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security. In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this. That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ? I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically. Thanks for all

$mfrachet$

Reputation: 8922

Understanding OAuth2.0 and REST API Security

In my current work, I have to develop an intern REST API engine. I have read the Roy Fielding thesis, documented myself, and I finally got something that works great easy to use, with high performance, corresponding to the Fielding REST spec.

There is only one point that I dont really know how to overcome : the security problem.

Again, I documented myself, and I wanted to use OAuth2.0 in my engine. The problem is that I dont understand nothing at all how to use this protocol.

I dont understand how the consumer can connect himself and be recognized by the server.
I dont understand if I have to provide API key to my consumer(like Facebook, Twitter and Google make it) or if a token will automatically be generated if I send a login / password to the server
I dont know if I have to create my own OAuth2.0 server that provides keys, or if OAuth2.0 libraries are sufficient to provide security.

In fact, I dont understand nothing at all with OAuth2.0, and I need to learn. The problem is, every documentation that I try to read is like chinese, I didn't find an easy one, step by step that will help me with this.

That's why I post here, can you help me understanding a bit more OAuth2.0 and the secured authentication for API ?

I willingly didn't speak about the technologies, because I want to understand OAuth2.0 before applying it technically.

Thanks for all

Upvotes: 1

Answers (2)

$mfrachet$

mfrachet

Reputation: 8922

Thank you for your answer, I studied a bit more OAUth2 en tried to implement it with 3 stragery : basic, clientPassword, bearer.

I created a new thread for an other problem, if you want to take part of it :

OAuth2 server creation with nodejs

Upvotes: 1

Chris Meek

Reputation: 5839

The main problem with OAuth (both versions) is that you'll see a lot of talk about the three legged version. That is when you have user, a data-providing service and a consuming service, let's say a service that will create physical copies of your flickr photos. In this case the OAuth flow allows the user to tell flickr that the third party can access their data. This is not the scenario you are after, you are interested in 2-legged OAuth, see here for a description.

Of course you could look at other methods too. I've used HAWK in a number of REST/Hypermedia APIs and found it to be great to use in both nodejs and .NET server stacks.

Upvotes: 3

Understanding OAuth2.0 and REST API Security

Answers (2)

Related Questions