I'm currently developing an API for phpBB as part of my Google Summer of Code project. The point of the API is to enable developers to create applications that connects to phpBB boards.
The user needs a proper way to authenticate (obviously it's a bad idea to have the user input his username and password directly into the application), and I've been considering multiple ways of doing this.
I've already done my own kind of implementation but people I've talked to says I should rather use OAuth. I've been reading up about OAuth for a week now but I'm not entirely sure how it should be used in this case. What I gather from three-legged OAuth is that the application developer has to register his application at the service to receive a consumer token prior getting a client token. This isn't really possible because the developer can't really register his application on all the phpBB boards.
I've been thinking about if the application automatically fetches a consumer token from the server then a client token but to me that sounds like it defeats the point of three-legged OAuth.
I've read a bit about two-legged OAuth but from what I gather you aren't supposed to use that as authentication and is more for internal applications??
The authentication system I've implemented so far is like this:
- Application requests an authentication token and a signing token from the phpBB board
- The user is prompted to visit the authentication page on the phpBB board with the tokens as parameters
- The application verifies with the phpBB board if the tokens are valid, the user would have to tell the application to do this after going trough the authentication phase in the browser
- When doing a request, say
/api/forums/2/topics, the application would add the authentication token and a serial to the request:/api/forums/2/topics?auth_token=token&serial=2where the serial is an everincreasing number to stop replay attacks. Then the application hashes the request using HMAC-SHA256 and appends it to the request as another GET parameter. The server does the same hashing to see if it's correct. This way attackers can't forge requests unless they got their hand on the signing token at the initial exchange.
I'm trying to figure out if I should rather try to implement OAuth instead of this, while trying to learn about OAuth. To be short: How would OAuth work spanning multiple services without having the developer register for each service?
