I'm gonna try to explain my problem :
I'd like to allow users to connect to my api via their own accounts (login/password) or via a social network (Facebook at first).
Then, I would allow any application to use my api, with the user authenticated.
My first thought when to auth the user via his/her login/password and return a token used as the session for the next requests.
But OAuth would seems to be the better implementations, except I don't know how to do this :
- One of my applications will have to connect via login/password, like twitter web (I have to implement an login/password auth somewhere if I wan't my user to login :p)
- Will I also have to register my applications to the oauth system (did twitter added their web app to their oauth ?)
- How to merge the auth via others social networks. Concretely, the user will have to OAuth to my api that will auth to the social network.
I'm a bit lost on how to do this, if someone could help me, I would really appreciate !
Thanks
Update 1: Flickr and Lastfm seems to not use OAuth but an alternative auth system that looks like this :
- The user is redirected to Flickr/Lastfm
- The user auth himself and accept to use the application
- Flickr/Lastfm return to the Callback url with a temporary frob (for flickr) or token (for lastfm)
- The app must call the provider with the temporary frob/token (among with the api_key and the api_sig, as always) and get in return the session token to use for the next calls.
Update 2: In fact, StackApps is the concrete case of my problem : you can login through their login/password system OR openId, and you can use their API.
