0

I am in the process of building a RESTful web service using ASP.NET Web API, and I am considering using OAuth 1.0 as an authentication mechanism to secure the service. Our API would also be maintaining the credentials store and would therefore be the OAuth provider. Client applications using our API would be used by end users who would have to authenticate using a username and password, so I assume the client app is considered to be an OAuth consumer. The client application would make an API call to retrieve an unauthorized request token, then send along the user's credentials with the token to get an access token.

Ultimately, I could see other 3rd party applications wanting to access our application through my API, and they would use OAuth with the redirection with our application being the credentials provider.

Is this a viable way to use OAuth? Will something like DotNetOpenAuth support this scenario?

ekad
  • 14,436
  • 26
  • 44
  • 46
Rich Miller
  • 810
  • 1
  • 9
  • 20

1 Answers1

0

We have decided to implement OAuth 2.0, which supports various workflows, one of which includes a Resource Owner Credentials flow that allows the client to pass user credentials to the authorization server in exchange for an access token. This will serve our purposes.

Rich Miller
  • 810
  • 1
  • 9
  • 20
  • This question is old, but I just want to flag that this is a bad solution to the problem. A better way would be to show a web-based login form within a web view. You definitely do not want 3rd parties to be authenticating with actual usernames/passwords. – James Billingham Sep 19 '13 at 05:21