N
N
Nazar Mokrinsky2013-03-21 17:49:22
API
Nazar Mokrinsky, 2013-03-21 17:49:22

OAuth 2 + guest access

There is an API, access to it is provided by access_token + client_id + client_secret, according to OAuth 2.
But what if guests should also have access to the API, while you need to know that several requests come from the same guest?
Is it possible to make a method like access_guest_token? I'm interested in the solution within OAuth 2, so as not to fence too much, I can't find something in the specification .

If I'm confused, correct me.

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Alexey Zhurbitsky, 2013-03-21
@blo

In general, without a detailed description, it is difficult to offer something sensible, but offhand - why can't guests also use the access_token + reserved guest client_id?

T
Talyutin, 2013-03-22
@Talyutin

It seems to me that the specification does not stipulate that client_id is the type or class of the application (mobile or your server). But it is explicitly said that the client_id is issued by the server to the client. Therefore, nothing prevents you from having a client_class_id in the first request to get a client_id and, if necessary, a client_secret. client_class_id will just indicate that this is a mobile application.
In addition, the content of the paragraph tools.ietf.org/html/rfc6749#section-2.3.1 just resembles the previously known and familiar login:password scheme.
As a result, each user immediately receives his own client_id, which, by the way, will then be transmitted with all other requests according to the specification.
Example:
client sends
POST xxx/oauth/credentials
in the body client_class_id=12sdfs31sdfsd23&other identifiers&any models&types and related information
gets client_id=cid and client_secret.
further, if the client needs to log in, then he sends
POST xxx/login?response_type=code&redirect_uri=yyy ://zzz&client_id=cid
in the login=vasya&password=123 body.
If he is a guest, then he sends something else.
receives HTTP/1.1 302 Found
Location: yyy://zzz?code=vasya_code
then requests POST xxx/oauth/token with grant_type=authorization_code&code=vasya_code&redirect_uri=yyy://zzz as usual.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question