views:

281

answers:

1

I have a google app engine project and i want to make my REST API available to third parties. Like twitter API.

Twitter requests the user and password to be sent so thet they can be authorized - can i do this with google user accounts?

I have read somewhere on this site this is not a prefered method as their credentials are entered into a thirdparty app/passed etc.

I dont want to over complicate and redirect them to a googles own login/captcha and so on. I have seen a implementation of this - also with desktop/phone/widgets this may not even work.

Is a solution for a third party apps to call my service - the app calls a page on my site (which asks for login - i just add login rights) the user then logs in and my app then creates a long token that is then passed back to third party app which then stores this in their own repository and pass it as a Token arg in the post/put/delete request. My REST service then checks the token and against a lookup (token|user key) pairs and allows/rejects the method call.

I could also ask the app for their domain? and store this too. I guess i can read the url of the request on the REST service and check they match etc?

Is this a reasonable solution or am i living in the 90's?

+1  A: 

OAuth was created with this situation in mind. It's a specification for the sort of auth-token scheme you just described, and it's reasonably widespread these days.

For balance, see this recent StackOverflow thread.

keturn
Hmm yes i have considered tho the feedback in the thread you referenced is not that positive - oAuth has to be accessed everytime the client connects - which for third party apps is a little awkward.Twitter uses a simple system if im correct of requesting the user name and password which is very straight forward in REST. Plus any third party app just needs to wrap this in the request get/post - again simple stuff.I my assumptions here correct?
spidee
Twitter also uses OAuth.Not sure what you mean by "has to be accessed everytime the client connects"; every API request made needs to have an OAuth signature, but the token used for signing may be pretty long-lived and exist across sessions.What OAuth provides over a "send the password" scheme is some security against stolen tokens and request tampering. If you're not worried about that, then OAuth is less interesting.
keturn
I think perhaps i should re-look at opting out of using the app engines built in google accounts module. I am also going to re-look at oAuth as a purpose for securing my api endpoints.
spidee