Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Twitter addressed the external application issue in oAuth by supporting a variant they call <a href="https://dev.twitter.com/oauth/xauth" rel="nofollow">xAuth</a>. Unfortunately there's already a plethora of other schemes with this name so it can be confusing to sort out.</p> <p>The protocol <em>is</em> oAuth, except it skips the request token phase and simply immediately issues an access token pair upon receipt of a username and password. (Starting at <a href="http://dev.twitter.com/pages/auth#oauth" rel="nofollow">step E here</a>.) This <em>initial</em> request and response <strong>must be secured</strong> - it's sending the username and password in plaintext and receiving back the access token and secret token. Once the access token pair has been configured, whether the initial token exchange was via the oAuth model or the xAuth model is irrelevant to both the client and server for the rest of the session. This has the advantage that you can leverage existing oAuth infrastructure and have very nearly the same implementation for mobile/web/desktop applications. The main disadvantage is that the application is granted access to the client's user name and password, but it appears like your requirements mandate this approach.</p> <p>In any case, I'd like to agree with your intuition and that of several other answerers here: don't try to build something new from scratch. Security protocols can be easy to start but are always hard to do well, and the more convoluted they become the less likely your third-party developers are to be able to implement against them. Your hypothetical protocol is very similar to o(x)Auth - api_key/api_secret, nonce, sha1 hashing - but instead of being able to use one of the many existing libraries your developers are going to need to roll their own.</p>
    singulars
    1. This table or related slice is empty.
    1. POCreating an API for mobile applications - Authentication and Authorization
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USSimulant
    1. USlantius
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COI should also point out that it looks like the 'skip request token' endpoint is going to be in oAuth 2, it's listed in the current draft as the "password" access grant type. See section 4.1.2: http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.2
      singulars
      1. PO
      1. USlantius
    2. COLike I mentioned to Lonra, I am looking more into xAuth and specifically for the reasons you mentioned at the end...developers can you "off the shelf" oAuth tools/libs to interact with my API, which is "a good thing".
      singulars
      1. PO
      1. USjsuggs
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload