oauth - Getting user information when using OAuth2 - is the following reasonable? -

-

i creating api (restlet, gae) , implemented openid authentication , oauth2 protect access api. when testing client web app built, fine. when user hits part of web app wants access api, user asked login via openid , asked grant access web app grab resources api.

however, noticed web app doesn't know user (!). web app has auth token. thus, web app can't "hello, username", since doesn't know user is.

with restlet technology, authentication essentially: // authentication code openidverifier verifier = new openidverifier(openidverifier.provider_yahoo); verifier.addrequiredattribute(attributeexchange.email);
authenticator au = new myredirectauthenticator(getcontext(), verifier, null);

while following handles both authentication , oauth2 authorization: // authentication + oauth code: oauthparameters params = new oauthparameters("2345678901", "secret2", "http://localhost:8888/v3/", roles); oauthproxy local = new oauthproxy(params, getcontext());

initially using "authentication + oauth" in web app , authentication happening "invisibly" (as mentioned above).

i figured 1 way around "problem" if web app handles authentication "visibly". added authentication code web app. flow looks exact same user, web app able capture user info (email) , fine. there doesn't seem conflict "both" code either.

another way around problem add api return user info associated authtoken (a la twitter's verify_credentials).

my question: approach have taken reasonable? should use twitter approach instead? or different? (i pretty new stuff, hard figure out if choosing solution seems work, hit brick wall later on).

the short answer when client web app gets permission access oauth resources on behalf of user, client web app isn't supposed know user (login, password, etc.). if client web app wants know user is, can provide authentication.

i have implemented above scheme restlet , google app engine, allowing user authenticate resource server via openid , adding google authentication web client app (just can give "hello" message). seems fine.


Comments

Post a Comment

Popular posts from this blog

django - How can I change user group without delete record -

-
on website user have 1 group. , user can change group. it's made user.groups.clear() and user.groups.add(new_group) but it's not efficient, because there 2 sql query: delete, insert. how can change group update query? user , group related each other using manytomanyfield . means intersection table exists relating both entities, , if don't specify model map (using through attribute) django creates 1 you. looking @ sources django.contrib.auth.models see that's case. fortunatly, can access intermediary model using through attribute of manager (in case, user.groups.through ). can use regular model. example: >>> alice = user.objects.create_user('alice', 'alice@example.com', 'alicepw') >>> employee = group.objects.create(name='employee') >>> manager = group.objects.create(name='manager') >>> alice.groups.add(employee) >>> alice.groups.all() [<group: employee...
Read more

java - Need to add SOAP security token -

-
i need set custom soap header attribute on jax-ws generated webservice client. case webservice calls must go through proxy server requiring specific token (recieved web request header) present in soap request header. e.g.: 1 carserviceservice service = null; 2 service = new carserviceservice(new url(url), new qname(qname); 3 carserviceendpoint port = service.getcarserviceport(); it seems in line 3 wsdl retrieved , call fails due missing security token. 1 point direction on how done? a detailed example has been mentioned here: creating , deploying jax-ws web service on tomcat 6 this article shows how create , use security token .
Read more

java - EclipseLink JPA Object is not a known entity type -

-
i have strange problem eclipselink , object want persist. have 1 object (keypointlistimpl) stores object keypointimpl in list. persisting keypointimpl objects works great if try persist keypointlistimpl object java.lang.illegalargumentexception says object keypointimpl isn't known entity type. here keypointimpl code: @entity @table(name="keypoints") public class keypointimpl implements keypoint { @id @generatedvalue(strategy = generationtype.identity) private int id; @enumerated(enumtype.string) private detectortype keypointtype; private float x; private float y; private float size; private float angle; private float response; private int octave; private int classid; ... } here keypointlistimpl code: @entity @table(name="keypointlists") public class keypointlistimpl implements keypointlist { @id @generatedvalue(strategy = generationtype.identity) private int id; @onetoone(cascade={ca...
Read more