StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POUsing OAuth to limit access to corporate webservices for mobile webpages and native apps
primarykey
Id
11174962
data
AcceptedAnswerId
0
AnswerCount
1
ClosedDate
CommentCount
2
CommunityOwnedDate
CreationDate
2012-06-24T04:32:14.887
FavoriteCount
0
LastActivityDate
2012-07-05T14:03:52.203
LastEditDate
2012-06-25T14:29:14.750
LastEditorUserId
67566
OwnerUserId
67566
ParentId
0
PostTypeId
1
Score
2
ViewCount
129
LastEditorDisplayName
text
Body
I am considering a design that I am not certain if OAuth is going to be a good fit, but this is the basic issue. I have corporate webservices that will require different levels of security. <ol> <li>Check grades for user - require username/password</li> <li>Change grades for user - require username/password/RSA token number</li> </ol> So, if an application wants to do (1), it will be asking for the credentials, but, I would like the OAuth server to be told which service the user is trying to get to, and the correct fields would be shown, as this is the initial login. Now, the second time, the application (browser or app) have a token, but, that token isn't sufficient, but, the application shouldn't know this, as the security requirements may change, based on what the security people decide is appropriate. So, when the token is presented to get to (2), it determines that it isn't sufficient, and so an error is returned back, so the application can go and try to get a new token. I haven't implemented any of this yet, but as a basic design I am not certain if OAuth is a good fit for what I want to do, or if I would be better off to write my own authentication system. Initially the client for the webservices will be mobile web apps, but, I want to make it flexible enough so that when we write a native phone app it will be able to use the same system. So, having the application needing to know the security I have problems with, and passing the credentials each time to the webservice I am not happy with, so I would prefer to have an encrypted token that can be used, and if you meet the requirements for (2) then you can get into (1) with the same token. So, would OAuth be a good fit for this? OAuth does have authentication aspects, it appears, based on this (<a href="https://developers.google.com/accounts/docs/OAuth2InstalledApp" rel="nofollow">https://developers.google.com/accounts/docs/OAuth2InstalledApp</a>). UPDATE: - It appears that Open Connect (<a href="http://openid.net/connect/" rel="nofollow">http://openid.net/connect/</a>) may be better than OAuth for this, but I am just learning about Open Connect now.
Tags
<javascript><design><authentication><ios5><oauth>
Title
Using OAuth to limit access to corporate webservices for mobile webpages and native apps
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USJames Black
UserOwnerUserId
1. USJames Black
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POUsing OAuth to limit access to corporate webservices for mobile webpages and native apps
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POUsing OAuth to limit access to corporate webservices for mobile webpages and native apps
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. CORemember that OAuth by itself deals with authorization and isn't concerned with authentication.
 singulars
 PostPostId
 POUsing OAuth to limit access to corporate webservices for mobile webpages and native apps
 UserUserId
 USKos
2. CO@Kos - I guess my difficulty is that I want to have the authentication part in case the authorization part doesn't meet the requirements. So, you don't have authorization for (2), but you did for (1), so you need to be redirected first to get authenticated for (2). I am leaning toward just building my own system, but would like to leverage accepted standards (or drafts) as much as possible.
 singulars
 PostPostId
 POUsing OAuth to limit access to corporate webservices for mobile webpages and native apps
 UserUserId
 USJames Black

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.