Security of requests from third-party services

P

ppa2013-11-11 17:10:12

API

ppa, 2013-11-11 17:10:12

The title probably does not quite reflect the essence of my stupor. And the problem is this: I started making a web engine based on the API. And everything would be fine, but the moment has come when other services (unverified) need to work with the API. The problem is that, having authorized on a third-party service, the user will be in danger, because. the third-party service will be able to perform any action from the user. I know that there is OAuth and the like, but I would like to make such a system myself. Can you tell me where to read?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

M

mayorovp, 2013-11-11
@mayorovp

The service must make a request like api .****.su/?token=***&method=***&data=***, authorization is by token. Another service gets only the token, the login and password are entered on the side of your site.
Everything is written in more detail in the OAuth protocol - it solves exactly this problem.

B

betal, 2013-11-11
@betal

Let him authorize with you, and either sign the data to a third-party server or transfer it through a closed channel.

R

rozhik, 2013-11-12
@rozhik

Take OAuth 2 legged. Very simple solution based on preshared key (shared password). There are libraries for both the client and the server. My pure-php code (without using any) libraries did not weigh even 10 kilobytes.

S

SkiF_TLT, 2013-11-12
@SkiF_TLT

api .****.su/?method=login.login&data={"email":"****","password":"******"}&sid=SID12345

http and open password in GET? What kind of security can we talk about here?
But in general, my advice is to listen to people, use ready-made solutions and do not reinvent the wheel. Especially when its invention requires knowledge in the field of secure interaction between different services.