views:

365

answers:

2

I started reading on OAuth this morning; need suggestions(links et al.) that will help answer the following questions:
1. How to implement 3 legged Authentication using OAuth on Android devices? Is there a library that assists in the aforementioned?
2. What does it mean when someone says: "Site/Service ABC supports OAuth"?

Thanks!

+5  A: 

Hi Samuh,

To address your first question, you should be able to use any Java OAuth library on an Android, here's a link to a tutorial that uses the Java OAuth project library to develop a consumer app on an Android:

Specifically pay attention to the registering of a custom URI scheme (i.e. myapp://) with your application. You'll use this URI scheme when sending the oauth_callback parameter which will allow your users to go through the 3-legged workflow easily (basically you'll get a request token from the SP, direct your user to the SP via a browser to authorize the token, then the SP will redirect the user back to your app using the custom URI scheme).

Now for your second question: When somebody says that a site or service supports OAuth, it usually means that they have implemented OAuth as a Service Provider. This means that you can develop a consumer app that uses OAuth to perform delegated authorization to the protected resources hosted by the service. Be careful to note which version of the OAuth spec the service / site supports. Most should be on 1.0a, but some may still be on 1.0 which has a slightly different workflow. You can safely ignore the differences and just read the 1.0a spec if that's what they support, otherwise you'll want to dig up the 1.0 spec (links provided below).

Let me know if that helps, or if there's anything in particular you'd like me to elaborate on! Good luck with your app!

Note that 1.0 has some security issues that were addressed in 1.0a. Also note that 1.0a has been rewritten as a IETF draft. The terminology used is slightly different in the IETF draft, and some of the requirements have been dropped when using a secure transport layer (i.e. SSL) and the plaintext signature method. Most SPs will still adhere to 1.0a though. Otherwise the IETF draft is much more well written and is worth a read, if you can mind the terminology differences:

Paul Osman
This is perfect (and is getting a 25!). Many thanks for taking time to write this answer.
Samuh
A: 

That example you linked for android doesnt work and contains vairous mistakes. For instance the OP of that tutorial created a method that returns an object yet inside that code their is no return statement.

There was even an object he or she creates and never uses it either.

Terrible Tutorial and doesnt work even if you copy and pasted the thing.

The OAuth api is a bit shambolic as well. no guides on how to use it. Couldnt see a proper API doc for it either to explain what each object or class does.

jonney