Hi all,
I am looking to use OAuth for some public services I'd like to offer eventually. I have read a bit about it, but wanted to see if anyone on the list has successfully got it working, and if so would mind providing a few pointers or code snippets on how you got it working.
In particular I am looking at allowing a user to sign up on my site as a consumer of my public APIs, request a token that they can then use to authenticate any number of applications that they may write that consume my APIs. I would like the use of this mechanism to provide as much security as possible.
I am also wondering if the two-legged or three-legged approach is best with regards to REST services. If I understand correctly the two-legged approach is best for making service calls, while the three legged approach would be for something like a user allowing another user to access some resource(s) of their's.. basically giving them permission to access the services. I am still reading/learning about OAuth tho, so I apologize if this is incorrect.
Lastly regarding using OAuth, can I provide my own user database, and from that use OAuth to retrieve tokens/secrets from the incoming request, look them up myself, validate it, and so forth? Or is it essential to have something like OpenSSO to validate incoming OAuth requests? I know I can use Basic Auth right now with my own tables and that works just fine. I am curious tho if Basic Auth with say MD5 hash + SSL is "as good" or similar to using OAuth... I've gotten the impression that OAuth is fast becoming the industry standard way of handling secure authentication and/or sharing resources tho, so hence why I am looking into it now.
Thank you. Appreciate any pointers/help/examples of using it.