6

I want to do authentication in RESTful web service for every request. I have read scope about OAuth in website. What should I store in database or which token key or access key need to check with database? I have REST web serivce and android app to call web serivce. So, Web service is served as a Service Provider, UserLogin is user and Android application as a Consumer like describe in Oauth site. So, if user request from android like 

 GET /username/a.jpg HTTP/1.1 Host: localhost:8080 Authorization: OAuth realm="http://localhost/username/a.jpg", oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="nnch734d00sl2jdk", oauth_nonce="kllo9940pd9333jh", oauth_timestamp="1191242096", oauth_signature_method="HMAC-SHA1", oauth_version="1.0", oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D"

But from server side which is web service how to check with database or which key will be use to check? is it signature?

Improve this question
1
  • Are you thinking of doing full authentication for each request, or using OAuth to set up a session that will be used between requests (within the scope of an app, of course)? This matters because OAuth is fairly expensive and REST tends to require many requests. OTOH, auth per request makes it simpler to get clients right and removes a number of attack routes; it's a matter of balancing things… Commented May 19, 2011 at 16:38

1 Answer 1

Reset to default
4

Read up on http://oauth.net/core/1.0/ .. specifically Appendix A.2 through A.4. It describes the "handshake" that takes place when a service fails to get access, then redirects the user to the authentication website, then is returned back to the callback url.

As you asked, in A.4, yes, the service then examines the signature and replies with an access token.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.