oauth requirements

Question

I need to connect to another web application using webservice. That web application uses OAuth protocol to connect to their api. I am new to OAuth, but I did read the documentation :D . My question is, to connect my web application with their, what data do I need from them? I basically need to get all data of resource owners.

I think I need:

• 1) consumer key and consumer secret key from that web application company
• 2) token credential from the resource owner

I need this info right?

Can I save the resource owner token credential to get data in the future without resource owner login?

In their web application, it says I can get the following info from them:

• OAuth access tokens and secrets - > are these the token credential of the resource owner?
• OAuth Service key and secret -> what are these?

Answer 1

I followed this Tutorial and it is simple to understand.

Answer 2

I need this info right?

Yes. You need the resource owner to authorize your application through the OAuth flow. This is signified by token credentials (this used to be called access token).

Can I save the resource owner token credential to get data in the future without resource owner login?

Yes. Token credentials may have limitations on them in regards to expiration time, type of resources you can access etc. But if token credentials are expired (or invalidated by the resource owner him/herself) - your requests will not be accepted and you will have to ask the resource owner for new authorization.

OAuth access tokens and secrets -> are these the token credentials of the resource owner?

Yes. Until recently token credentials were called access tokens in the specification, information about the name changes can be found here: https://www.rfc-editor.org/rfc/rfc5849#section-1.1

OAuth Service key and secret -> what are these?

These are most likely the consumer key and secret.

Answer 3

Here is the sequence of flow to get it all working.

1. Get registered on the API Provider (the web application in your case). This will generate client id and client secret for you.

2. Exchange client id, client secret, end user id/password (in base64 encoded format in http auth header), scope, grant with the API Provider's auth service and get Authorization Code.

3. Exchange client id, client secret, authorization code with API Provider's token service and get token.

4. Use this token with other query parameters to proceed with the API requst.

The sequence above is applicable for grant_type=code. If you are going for any other grant type, #2 is not applicable, and in #3, you provide end userid/password to get token directly.