Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

First I’d like to emphasize the difference between authentication and authorization: A user authenticates to your web site by supplying some credential such as a username+password. OpenID allows this to be displaced by having the user authenticate to another service, which then asserts the user’s identity to your web site on the user’s behalf. Your … Read more

OAuth Authorization vs Authentication

OAuth is a specification for authorization OAuth 2.0 is a specification for authorization, but NOT for authentication. RFC 6749, 3.1. Authorization Endpoint explicitly says as follows: The authorization endpoint is used to interact with the resource owner and obtain an authorization grant. The authorization server MUST first verify the identity of the resource owner. The … Read more

Netsuite OAuth Not Working

EDIT: Just published an npm module which should make things easier: https://www.npmjs.com/package/nsrestlet Was able to get some code working after hunting through GitHub Code commits. Still, bknights response is really good. Here’s what I got working. Assuming you have Node.js and npm installed, run: npm install request npm install [email protected] It’s really important that it’s … Read more

LinkedIn OAuth2: “Unable to verify access token”

For me the https://api.linkedin.com/v1/people/~?format=json&oauth2_access_token=[accessToken] didn’t work. Adding reguest header Authorization: Bearer [accessToken] didn’t work until I went through linked in sdk and tested and found out that they also require you to add request header x-li-src: msdk With those two headers the call https://api.linkedin.com/v1/people/~?format=json worked. Hopefully Linkedin fixes this undocumented requirement soon…

Google API OAuth2, Service Account, “error” : “invalid_grant”

After some investigations I found, that Google API does not work as expected with your personal account @gmail.com. You should have organization domain account in Google in format you@your_organisation_domain Then, what is also pretty confusing, there is documentation at Google Drive API page, with “Delegate domain-wide authority to your service account” section not mentioned at … Read more

Twitter API – Logout

The session with Twitter is defined by a cookie owned by Twitter — something you do not have control over. You cannot log them out of Twitter on their behalf. If you want someone to be able to use your “switch twitter account” functionality, you’ll need to pass them off to the OAuth handshake again, … Read more