Case for Oauth

[fortuner]

Hi,

  I have been trying to see if OAuth fits my requirement.Here is my case

  1. I am an API service provider

  2. There are 3rd party applications which register with me to make use of my API's.

  3.  There are subscribers of the 3rd party applications who will in-turn consume my API's.I have no knowledge of the 3rd party application's subscribers.

  Is there a case for me to expose an oauth service here?

  I am a bit confused by the oauth roles.

  1. I own the protected resources and am the resource owner

  2. I am also the resource server and authorization server.

  3. That leaves the client which is the 3rd party application.

  So what role does the application's subscriber play here.Am i getting confused about the resource owner part?

Thanks

  

[kedar mhaswade]

I think if you don't know of subscribers of 3rd-party applications ("Client" in OAuth2 lingo) which invoke your API (you being the service provider), I am not seeing if OAuth fits your use case.

My understanding is that the resource that resides on a "resource server" should be owned by an end user (subscriber) who has identity on both "client" and "resource server/authorization server" for OAuth to be applicable.

Regards,

Kedar

Thanks

  

[sune jakobsson]

Watch it here:  http://www.youtube.com/watch?v=_2T1iSGULL4 

[Brian Mulloy]

In case you haven't run across it already, i found this tutorial on OAuth roles helpful: http://tutorials.jenkov.com/oauth2/roles.html

The people you are describing as the subscribers of the 3rd party app are usually viewed as the resource owners. But if you have no knowledge of them then you are probably not providing the resource server for the resource they own and so wouldn't need to worry about providing an auth server.

There are other reasons for you to be a provider but I don't see it in what you have described.

-b

Sent from my iPhone