7

I have been trying for hours now to get OAuth working on with an API that I am working on, and obviously my approach must be wrong, because I constantly hit dead ends.

What I have got:
- An API that is implemented in .NET MVC, which returns a data result as either XML or JSON.
- It requires an API Key to be able to use the API.
- A website (X) as backend for managing the API keys.
- Another website (Y) with loads of data which this API extracts data from.

What I am supposed to get:
- The ability to let the API Keys access data on users from the website (Y), if they allow it themselves via OAuth (1.0A).

What I have tried:
- So far, my approach has been to use the DotNetOpenAuth library, but it is almost all about how to implement OpenId, and some classes in the OAuth namespace even seem hardcoded towards OpenId functionality. So I have been trying to see what is going on in the examples that are using OpenId, and see if I can use parts of that to implement OAuth without OpenId.
- Various approaches includes, on the server side, to read an "UnauthorizedTokenRequest" and return it via calling the ServiceProvider.Channel.PrepareResponse(unauthorizedTokenRequest).AsActionResult(), which for some reason tries to add two values of nonce and timestamp to the response which crashes, and skipping that, it still returns a response that I am not able to read on the client end.

So I guess, my question really is:

  1. Is there a guide/documentation that tells you what parts of the DotNetOpenAuth library I should be using on the server side, and when in the process they should be used, in order to implement OAuth on a MVC server that is not hardcoded to OpenId, as neither of the websites (X nor Y) supports OpenId?
  2. Should I rather use another library if I am not going to use OpenId as DotNetOpenAuth seems to be focusing the most on?
  3. Any other approaches that would fit my need better are very welcome.

Thank you in advance!
- Johny, Denmark

Johny Skovdal
  • 2,038
  • 1
  • 20
  • 36
  • 1
    Anyone with any good advice on this? I have a hard time believing I am the only one trying to implement OAuth without OpenID. :) – Johny Skovdal Jun 24 '11 at 12:39

1 Answers1

4

DotNetOpenAuth supports OpenID, OAuth, and InfoCard when used together and separately. It sounds like what you're building fits what the DotNetOpenAuth sample "OAuthServiceProvider" is demonstrating. True, that sample uses OpenID to log users in, but you can ignore the login.aspx page in the sample completely and thus be completely separated from OpenID. Using OAuth without OpenID is totally supported.

The couple of OpenID related methods in the OAuth classes is merely to support the "OpenID+OAuth" extension of OpenID, which doesn't apply to your situation so you can ignore them.

Regarding your twice added nonce issue that you saw, sometimes it happens that the Service Provider inappropriately has two modules validating incoming OAuth requests, each validating the nonce and thus the second module always rejects every request. You might check if that is causing your problem. Otherwise see if the unchanged sample works for you, and if so, compare what it does against what you're doing to see what might be going wrong. Activating logging also frequently helps.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • Thank you very much, I will have a look at it again the comming week, and let you know if it worked out. :) – Johny Skovdal Jun 26 '11 at 20:00
  • Activating logging really did the trick. I ran into issues however, where the source code was different than the binary, making it quite hard to debug, as my breakpoints were hit at odd places and not in others. Finally got it working though, but only by trial and error. Thank you for the help. :) – Johny Skovdal Jan 24 '12 at 09:05
  • Glad it worked for you @JohnySkovdal. As for debugging trials, you can get exactly matching source code by downloading the source code from https://github.com/AArnott/dotnetopenid/tags for your version. In the next version, we'll start uploading source code and symbols to http://www.symbolsource.org/ which should make this automatic. – Andrew Arnott Jan 27 '12 at 03:25