5

We are building a REST API using ASP.NET MVC. This API is similar in principle and usage to the Factual v3 API. They use 2-legged Oauth 1 for their API. Our design is very similar in that applications, primarily mobile will use our API behind the scenes to provide a service. The end user of the application will not know about our API, and will therefore not have any credentials. So redirecting the user via a browser window to an auth form (like facebook) does not make any sense. My questions are..

  • Why OAuth2 flow is the best to use in this scenario?
  • Should we even use Oauth2 or just stick with 2-legged OAuth 1?

For reference we are using C#/.NET, ASP.NET MVC 3 and plan on using DotNetOpenAuth v4.

http://developer.factual.com/display/docs/Factual+Developer+APIs+Version+3

craig.tadlock
  • 1,898
  • 21
  • 26

2 Answers2

4

Why OAuth2 flow is the best to use in this scenario?

It isn't, necessarily. OAuth 2 is an unfinalized spec. If you need maximum interoperability, OAuth 1.0 is the better choice (for now). OAuth 2 is simpler for the client, at the expense of significantly added complexity on the server.

Should we even use OAuth2 or just stick with 2-legged OAuth 1?

Use the pros and cons listed above to choose. And also that if you're using DotNetOpenAuth, OAuth 1.0 support has been around for years whereas OAuth 2.0 support isn't fully baked yet so you'd probably hit some road bumps.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
  • Since Oauth2 is new, lets go with Oauth1. I downloaded the latest version of DotNetOpenAuth 4 (rc1). Im having a touch time sorting through all of the examples to find one that is similar to what we need. We are using ASP.NET MVC 4 Web Api to build the rest api. I really just need the ability to sign a request using oauth with an api key and secret, then on the server side have an authorization attribute that decodes this request and validates it against the key and secret in the database. Which example should I be following? – craig.tadlock Mar 21 '12 at 21:49
  • The OAuthServiceProvider and OAuthConsumer samples are most relevant. But it sounds like users are irrelevant to your scenario -- so it sounds like you're describing [0-legged OAuth](http://blog.nerdbank.net/2011/06/what-is-2-legged-oauth.html). While I don't think there's a specific sample for that, it should be pretty straightforward to port the above samples so it fits your needs. – Andrew Arnott Mar 25 '12 at 17:15
0

Try this: http://community.codesmithtools.com/CodeSmith_Community/b/tdupont/archive/2011/03/18/oauth-2-0-for-mvc-two-legged-implementation.aspx

Bogdan Nicolau
  • 198
  • 4