Search:  

OAuth

OAuth is a protocol used by some third party websites (we'll use Twitter as an example for clarity) to allow other sites (by 'site' we mean one developed in this platform) to access their system on behalf of a user, say to post tweets.

External resources: www.oauth.net, OAuthW

Introduction

The traditional method, known as Basic Authentication, was for the user to give the site their Twitter username and password. However, whilst simple and easy, this gives the site total control over your Twitter account, which is undesirable, and is now no-longer available.

OAuth allows the user to give the site a 'token' which can be used to post Tweets under their name. However the token doesn't reveal the username and password, and can be revoked via the Twitter site at any time. The user stays in control.

To save the user from having to worry about typing in tokens, the OAuth protocol allows the sites to work together to prompt the user for their login details, with the token being carried around behind the scenes.

Registering as an Application - Consumer keys

OAuth introduces some new terminology: before users can start creating tokens, the site has to register with Twitter as an Application, and is given some Consumer keys. These are added to the site as an entry in the 'OAuth Consumer' component. A site might hold several Consumer keys, for different services – Twitter, Facebook, and so on. The OAuth Consumer component allows these to be managed.

The User Experience

When the user would normally be prompted in the system for a username and password (for example in the Event Tree / Tweet action dialog) there is instead an OAuth Token picker.

The OAuth Token picker allows the currently-logged-on user to see and use any existing tokens they have, or to Add a new token.

When they add a new token they are asked to choose a Consumer (ie to select Twitter from the list) and to name their own Token (The name is simply for the user's benefit, to help distinguish between multiple Twitter accounts).

Then they are shown a page provided by Twitter, in which they are asked to confirm they want to provide the site with permission. If they aren't already logged into Twitter they will be asked to login – providing their username and password to Twitter – but not to the site.

Once confirmed, they are returned to the site, where the new token is listen in the dialog and can be selected.

The dialog only shows tokens created by the currently logged-in user. This keeps each user's tokens secure for their own use, which is important in multi-user systems.

The only exception is that a dialog is being edited that already has another user's token selected, that token can still be used. This typically applies where you have two site administrators editing the same configuration dialogs.

The OAuth Token datatype

The OAuth Token dataype allows users to specify tokens in Data Entry Forms, which can then be used elsewhere.


 

Copyright © 2023 Enstar LLC    All rights reserved Print this pageTranslate: