3

My company provide services to other websites. I would like to be able to give them a simple snippet of code to embed in their site (like a widget) that will send a query to the service I'm implementing, receive a response and render the results in the page. I'd like to minimize their effort, and only give them the smallest snippet possible. This is also why I'd like to keep it all client side.

The problem is that I'd like to make sure that the call is actually made by my clients and not by anyone else who copied the code from the site. I looked into the web client oauth2 flow, but it seems that it does not enable to authenticate the client. It does say that there's a way to validate the client by comparing the callback URL to a URL that the client registered with my service.

My Questions:

  1. Is there any better approach?
  2. Is the oauth2 client side approach, including the method described to validate the client, sufficiently secure?
  3. If I go for the suggested implementation, what should I pay attention to?
davidrac
  • 10,723
  • 3
  • 39
  • 71
  • So basically the code snippet is going to run on a multitude of clients in various locations (random website visitors), but you want to make sure each code is executed in the context of a specific id (your customer), which should not be spoofable? Sounds like a fundamentally really difficult if not impossible task. +1 though, waiting for responses... – deceze Jun 13 '12 at 11:54

1 Answers1

0

You could use the Client Credentials Grant Authorization as defined in OAuth-2.0. This would allow you assign a separate Client Token and Client Secret for each separate client and they send in the tokens to get an access token and use the access token to request the data.

Or you could just skip the OAuth all together and use SOAP WS-Security with certificates assigned to each client to authorize the web service.

Mark S.
  • 3,849
  • 4
  • 20
  • 22
  • Thank you for your answer. I actually looked into oauth 2. the problem I had is that in order for my clients to work with client secret and client token (the full oauth2 flow), they will need to implement server side code. I hoped there's some way for me to let them avoid this. – davidrac Jun 15 '12 at 08:03