Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p><strong>FIRSTLY</strong>, The <strong><a href="http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-2.2" rel="nofollow noreferrer">client identifier</a></strong> can be any string that you want, but it should be unique for each client. It can even be the client's choice if you wish. The <strong>client secret</strong> should be a cryptographically strong random string. Here is how you could generate one in C#:</p> <pre><code>RandomNumberGenerator cryptoRandomDataGenerator = new RNGCryptoServiceProvider(); byte[] buffer = new byte[length]; cryptoRandomDataGenerator.GetBytes(buffer); string uniq = Convert.ToBase64String(buffer); return uniq; </code></pre> <p><strong>SECONDLY</strong>, The whole point of OAuth is to allow external apps to do things on your behalf without asking for your credentials. So, you need to implement an authentication server that does the logging in part for you. The user opens the app and gets an option to <strong>Log in using <em>your website</em></strong>. You tend out access tokens and refresh tokens once the user has keyed in his credentials. The app can then simply use the tokens to perform actions on the user's behalf. I wrote an answer to <a href="https://stackoverflow.com/questions/16200528/how-would-an-efficient-oauth2-0-server-provider-work">How would an efficient OAuth2.0 server / provider work?</a> that explains how access tokens can be constructed. <br>Remember, the need for refresh tokens and the lifetime of access tokens purely depends on how you intend to use them and what does your security framework look like.</p> <p><strong>LASTLY</strong>, The refresh token can also be an HMAC encoded string/a JSON object as I had explained in the answer to the linked question. You can have random refresh tokens and a large backend storage to keep it to verify the tokens in the incoming requests, or have HMAC encoded strings for added security/less storage requirements/latency to decrypt/encrypt tokens.</p> <p>Also, do make sure that you go through all the flows and possibly the RFC too as mentioned by Lukos.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload