When i create the database and change the web.config to allow
localhost requests how should i then use the oauth.ashx ?
Should i be able to connect with the WebConsumer or DesktopConsumer to
this endpoint? How do i initiate a authentication flow ?
Any concrete example code how to connect to the oauth part of the
WebFormsRelyingParty would be great, cause i cannot figure it out.
Every example that i see already defines the webconsumer key and
secret but what should these be in this example?
The database consumer tables stay empty when someone has authenticated
with openid.
Should the authentication be started true Oauth for these tables to be
filled or should i manually add these key/secrets?
I have created a project from the template and have got the openid
part of the example working.
However i cannot see how the OAuth part should be working?
When i create the database and change the web.config to allow
localhost requests how should i then use the oauth.ashx ?
Should i be able to connect with the WebConsumer or DesktopConsumer to
this endpoint?
How do i initiate a authentication flow ?
Any concrete example code how to connect to the oauth part of the
WebFormsRelyingParty would be great, cause i cannot figure it out.
Every example that i see already defines the webconsumer key and
secret but what should these be in this example?
The database consumer tables stay empty when someone has authenticated
with openid.
After the user is logged in to my site using his openid account i want
to use OAuth to authorize the Iphone app to use the users information
from my site. ( there willl be extra profile information for this user
outsite openid info)
The app will then keep using the Oauth token to login to the
application and do whatever i has to.
Is this a way OAuth could be uses or is that not what its intended
for , or even possible?
Is it possible to use this OAuth auth token to authenticate itself to
other endpoints using OAuth?
Bit difficult to explain but the point is that the app after it
received a OAuth token needs to use this user to authenticate itself
at some Web services it will use.
Can oauth token be used for this or should i initiate a new oauth flow
for every web site/Service?
On 19 feb, 15:02, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Good questions... I'll answer below.
>
> entries for consumers to use, but eventually what each SP *may* want to do
Is this a way OAuth could be uses or is that not what its intended
for , or even possible?
Is it possible to use this OAuth auth token to authenticate itself to
other endpoints using OAuth?
Bit difficult to explain but the point is that the app after it
received a OAuth token needs to use this user to authenticate itself
at some Web services it will use.
Can oauth token be used for this or should i initiate a new oauth flow
for every web site/Service?
On 22 feb, 17:22, Andrew Arnott <andrewarn...@gmail.com> wrote:
> 2010/2/22 wpeters1981 <wgtm.pet...@gmail.com>
On 26 feb, 11:03, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> This is what the application key/secret pair is for.
>
> Øyvind Sean Kinsey
> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/
On 26 feb, 14:36, Andrew Arnott <andrewarn...@gmail.com> wrote:
> The app key/secret is good for web apps, but a false blanket of security for
> installed client apps since the secret can be discovered. However, iphone
> apps are sufficiently locked down that perhaps the level of difficulty vs.
> the security you need balances out.
>
> But wpeters idea of keying individual apps works perfectly well too. And it
> doesn't necessarily have to be in the distribution of the app itself that
> you key it... it could be that the app on first startup requests a consumer
> token and secret from the SP and stores it. That way the SP can assign a
> unique secret to each installation of the app. Although it won't know any
> significant "who" is behind the token, but at least it can individualize the
> installations.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
> 2010/2/26 Øyvind Sean Kinsey <oyv...@kinsey.no>
>
> > This is what the application key/secret pair is for.
>
> > Øyvind Sean Kinsey
> > oyv...@kinsey.no
> >http://kinsey.no/blog/index.php/about/
>
I have got it working up to the point where i request a resource,
because i cannot find any resources that can be requested in the
example.
Should i be able to request accountinfo.aspx?
Is it normal that everytime i click begin in the oauthconsumerwpf i
have to allow the app access and use the returned verification
number.
Should it not save a auth token after this in the inmemorytokenmanager
and just use the existing authtoken from the previous flow?
The point is that users only complete the flow once...
Can i use OAuth to protect a webservice(which could be in the same
site and uses the same database) and also identify the person?
On 26 feb, 16:17, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Inline...
> 2010/2/26 wpeters1981 <wgtm.pet...@gmail.com>
>
> > I have got it working up to the point where i request a resource,
> > because i cannot find any resources that can be requested in the
> > example.
> > Should i be able to request accountinfo.aspx?
>
> Yes, that's an example of a page that requires the user to be logged in, or
> for the consumer to have an access token.
>
> > Is it normal that everytime i click begin in the oauthconsumerwpf i
> > have to allow the app access and use the returned verification
> > number.
>
> Yes. Not normal in a shipping app, but normal for the sample.
>
> > Should it not save a auth token after this in the inmemorytokenmanager
> > and just use the existing authtoken from the previous flow?
>
> Yes, if it were a real app. Or maybe even a better sample. :) The
> InMemoryTokenManager is a sample-only ITokenManager anyway. Really tokens
> should be saved on disk so that even across app reloads the user can still
> use a prior authorization rather than re-authorizing.
>
> The point is that users only complete the flow once...
>
> Agreed.
>
> > Can i use OAuth to protect a webservice(which could be in the same
> > site and uses the same database) and also identify the person?
>
> Absolutely. But that's up to the service provider. While the user is
> authorizing the request token with the SP, the SP is presumably already
> associating the user with the token in order to allow the consumer to access
> *that user's* data. So when the token comes into the SP the SP should know
On 26 feb, 16:58, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Just enter the full URL to the accountinfo.aspx page into the WPF consumer
> sample and it should pull the HTML for the page into the app's textbox. No
> other special steps should be necessary.
>
> Or are you expecting web service-like XML in the response instead of HTML in
> this case?
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
On 5 mrt, 14:25, Øyvind Sean Kinsey <oyv...@kinsey.no> wrote:
> Take a look at the OAuthServiceProvider sample, at
> the OAuthAuthorizationManager class.
> This is applied to the binding using
> <serviceBehaviors>
> <behavior name="DataApiBehavior">
> <serviceMetadata httpGetEnabled="true"/>
> <serviceDebug includeExceptionDetailInFaults="true"/>
> <serviceAuthorization
> serviceAuthorizationManagerType="OAuthAuthorizationManager, __code"
> principalPermissionMode="Custom" />
> </behavior>
> </serviceBehaviors>
>
> This is the class that reads the token and that converts the claims into an
> IIdentity for .net
>
> Øyvind Sean Kinsey
> oyv...@kinsey.nohttp://kinsey.no/blog/index.php/about/
excellent that fixed it, i removed OAuthAuthenticationModule and now it seems to work.
still have one bug that when i am not logged in the openid relying site when doing the oauth wcf request i first need to login using for example a google account , thats all great but after logging in i do not get redirected to the oauth page to accept the request and get the confirmation code.
This only happens when i am request oauth when i am already logged in to the site.