Adding oAuth2 security to our webservices
Hi All,
We run a few webservices (private) but want to add these to the public domain.
I've read the threads in this forum and all of them are related to the client.
Q: How can i add oAuth2 to our webservices on our server.
PS The new functionality will be using DF19.1
Roel
Re: Adding oAuth2 security to our webservices
Roel
Last year I built a sample OAuth2 secured API for the WebOrder sample, so this can be done.
I am not totally happy with it, but it does work.
The downside is that it is complicated if you want to go "the whole hog".
First you have to add in to your API authentication based on a "Bearer" token passed in the HTTP Authorization header.
Then you have to provide an authentication and authorization end-point which will validate the user and potentially allow them to restrict authorization to a limited sub-set of the API. That function should return a token to the calling application.
Finally, if you are going to open things up to 3rd party developers (and why else would you need OAuth2?), you need to provide a site where they can register as developers for your API, then register applications for it (each of which should be given an ClientID and SecretKey).
I could go on in detail, but you can see a sample client running at: [URL]http://test.unicorninterglobal.com/WebOrderRESTClient/Index.html[/URL]. The API is nothing like as sophisticated as where I am currently at using the cJsonObjects and cWebHttpHandler (new in 19.1), but it will give you an idea.
See: [URL]https://support.dataaccess.com/Forums/showthread.php?61981-Putting-it-all-together-OAuth2-secured-DataFlex-RESTful-service[/URL] for more detail.
Mike
PS - if you want more on this, don't hesitate to get in touch: here or mpeat at unicorninterglobal dot com.
Re: Adding oAuth2 security to our webservices
Hi Mike,
Just curiousity
[QUOTE][COLOR=#333333]Then you have to provide an authentication and authorization end-point which will validate the user and potentially allow them to restrict authorization to a limited sub-set of the API. That function should return a token to the calling application.
[/COLOR][COLOR=#333333]Finally, if you are going to open things up to 3rd party developers (and why else would you need OAuth2?), you need to provide a site where they can register as developers for your API, then register applications for it (each of which should be given an ClientID and SecretKey).[/COLOR][COLOR=#333333]
[/COLOR][/QUOTE]
Has this been implemented into the same web app or did you set up a complete different environment to accomplish this?
Re: Adding oAuth2 security to our webservices
Roel
when you say public domain what exactly do you mean?
you wouldnt need oauth2 or any authentication if they are open web services.
oauth2 while not crazy complex needs a little work.
You will need a user database of sorts for all the possible users and possibly information on what APIs they are allowed to access
then you would need an authentication endpoint that shows a login and handles the authentication and returns an auth code and your state value and redirects the user to the supplied url
then you need an endpoint to exchange the auth code for an auth token that can then be used to authenticate api calls
oauth2 is probably overkill for what you want to do.
if you just need simple authentication you could use a simple basic http authentication with a database of authentication codes and force HTTPS to ensure transport level encryption