Results 1 to 4 of 4

Thread: Adding oAuth2 security to our webservices

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Feb 2009
    Location
    Nuth, Netherlands
    Posts
    971

    Default Adding oAuth2 security to our webservices

    Hi All,

    We run a few webservices (private) but want to add these to the public domain.
    I've read the threads in this forum and all of them are related to the client.

    Q: How can i add oAuth2 to our webservices on our server.

    PS The new functionality will be using DF19.1

    Roel

  2. #2
    Join Date
    Mar 2009
    Location
    Beech Hill - a village near Reading in the UK
    Posts
    1,272

    Default Re: Adding oAuth2 security to our webservices

    Roel

    Last year I built a sample OAuth2 secured API for the WebOrder sample, so this can be done.

    I am not totally happy with it, but it does work.

    The downside is that it is complicated if you want to go "the whole hog".

    First you have to add in to your API authentication based on a "Bearer" token passed in the HTTP Authorization header.

    Then you have to provide an authentication and authorization end-point which will validate the user and potentially allow them to restrict authorization to a limited sub-set of the API. That function should return a token to the calling application.

    Finally, if you are going to open things up to 3rd party developers (and why else would you need OAuth2?), you need to provide a site where they can register as developers for your API, then register applications for it (each of which should be given an ClientID and SecretKey).

    I could go on in detail, but you can see a sample client running at: http://test.unicorninterglobal.com/W...ent/Index.html. The API is nothing like as sophisticated as where I am currently at using the cJsonObjects and cWebHttpHandler (new in 19.1), but it will give you an idea.

    See: https://support.dataaccess.com/Forum...ESTful-service for more detail.

    Mike

    PS - if you want more on this, don't hesitate to get in touch: here or mpeat at unicorninterglobal dot com.
    Last edited by Mike Peat; 16-Dec-2018 at 12:57 PM. Reason: PS

  3. #3
    Join Date
    Feb 2009
    Location
    Boxtel, The Netherlands
    Posts
    961

    Default Re: Adding oAuth2 security to our webservices

    Hi Mike,

    Just curiousity

    Then you have to provide an authentication and authorization end-point which will validate the user and potentially allow them to restrict authorization to a limited sub-set of the API. That function should return a token to the calling application.

    Finally, if you are going to open things up to 3rd party developers (and why else would you need OAuth2?), you need to provide a site where they can register as developers for your API, then register applications for it (each of which should be given an ClientID and SecretKey).
    Has this been implemented into the same web app or did you set up a complete different environment to accomplish this?
    Kind regards,

    Hans van de Laar
    www.datascore.nl
    www.vdfstructureviewer.com

    “You will only fail to learn if you do not learn from failing.” – Stella Adler

  4. #4
    Join Date
    Feb 2009
    Location
    South Florida
    Posts
    3,657

    Default Re: Adding oAuth2 security to our webservices

    Roel

    when you say public domain what exactly do you mean?

    you wouldnt need oauth2 or any authentication if they are open web services.

    oauth2 while not crazy complex needs a little work.
    You will need a user database of sorts for all the possible users and possibly information on what APIs they are allowed to access

    then you would need an authentication endpoint that shows a login and handles the authentication and returns an auth code and your state value and redirects the user to the supplied url
    then you need an endpoint to exchange the auth code for an auth token that can then be used to authenticate api calls

    oauth2 is probably overkill for what you want to do.

    if you just need simple authentication you could use a simple basic http authentication with a database of authentication codes and force HTTPS to ensure transport level encryption
    Michael Salzlechner
    StarZen Technologies, Inc
    http.://www.starzen.com

    Development Blog
    http://www.salzlechner.com/dev

    DataFlex Package Manager (aka Nuget for DataFlex)
    http://windowsdeveloper.com/dfPackage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •