[[formal:tech:oauth]]
 
Trace: » iago-notation » search » iago-framework » game-acceptance » registered-games » oauth
You are here: start » formal » tech » oauth

Basic Navigation

When one burns one's bridges, what a very nice fire it makes.
-- Dylan Thomas

OAuth and "Verified" User IDs

In an attempt to both make things easier for users, and to increase security (by reducing the chances of identity poaching), IAGO is configured to act as an OAuth Consumer. We currently expect version 1.0a. (OAuth Portal, Specs)

As a site owner we need 4 URLs from you. You can enter them on your site profile page. They are:

  • Request Token URL (where IAGO goes to retrieve a request token)
  • User Authorization (where IAGO should redirect the user to authorize the token)
  • Access Token URL (where IAGO should to to exchange the authorized request token for an access token)
  • Resource URL (where IAGO should go to get the user's official user ID)

Here is how things work for now. Please contact Aaron if you have any questions, problems, or suggestions.

  • The site is the “Service Provider.”
  • IAGO is the “Consumer.”
  • The IAGO user initiates the verification from their profile.
  • IAGO sends a properly formed POST to the site's request URL.
  • The site returns the request token.
  • IAGO then redirects the user (via GET obviously) to the user authorization URL, providing a parameter “oauth_token” containing the token previously received.
  • The site then has to do whatever it has to do to authenticate the user. After the site is done, it returns the now-authorized request token back (via GET to the callback URL provided in the initial request).
  • IAGO then sends a POST to the site's access token URL, asking to trade the authorized request token for a final access token.
  • The site does so.
  • IAGO then performs a final POST to the site's resource URL.
  • After verifying the tokens, the site is expected to return a plain-text response whose content is comprised solely of the user's official user ID. (This means a content-type of 'text/plain', a '200 OK' response, and the sole content being the userid.)
  • IAGO then updates the user's site association to the correct information and sets it as “Verified.”

This procedure also allows the user to “discover” the user ID, not just verify it. If a brand new IAGO user, with no site associations, uses this feature, the system will create the association with the information provided by the site.

For SDG, the initial request token is good for 15 minutes. The actual access token is only good for 5. There is some session storage required as this is a 2-legged process. SDG doesn't use HTTPS, but IAGO doesn't care if you do or not. Both should work.

 
/home/html/iago/HTML/wiki/data/pages/formal/tech/oauth.txt · Last modified: 2010/03/13 17:54 by aaron
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki