Web Connection
WWWC as an OAUTH Server
Gravatar is a globally recognized avatar based on your email address. WWWC as an OAUTH Server
  Michael B
  All
  Jan 16, 2020 @ 06:14am

Rick,

I am working on an Alexa Skill as a wrapper to my WWWC app. A developer I am working with suggested that to 'do this right' that I setup my application to be an OAUTH server (not a client). Any suggestions on how I do that, or do I need to do that in .net instead of the vfp stack?

Michael

Gravatar is a globally recognized avatar based on your email address. re: WWWC as an OAUTH Server
  Rick Strahl
  Michael B
  Jan 16, 2020 @ 11:24am

I'm not sure what that means in this context. Why would you want to run as an oAuth service? You would authenticate users?

If you really need an oAuth server, there are products that provide this as a standalone. In the .NET Space there's Identity Server which provides a federated authentication solution for user management and which includes oAuth support.

I can't imagine you'd want this though. Setting up oAuth in an application is a pain, and typically if you do use it you want use a provider that everybody is using so you get the benefit of the single sign on. For a one off oAuth is way to much hassle (on both ends) to be worth it.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: WWWC as an OAUTH Server
  Michael B
  Rick Strahl
  Jan 16, 2020 @ 11:34am

In the authentication relationship I am trying to describe, the parent is my WWWC app. My app will get a call from Amazon, who is making th call on behalf of a third party. That third party has an account in my app. I need to tie the two together. Amazon's platform does not like doing this in an old fashioned way, for example 'provide your account id and user and password directly'. Amazon's OAUTH client needs to call my OAUTH server.

It was suggested to me already to use an existing open source OAUTH server and use it as a proxy. The main reason I love WWWC is because we do it all in our world, and can see exactly what is going on. I would rather not hand off security to some black box that I just trust.

Is that more clear?

Gravatar is a globally recognized avatar based on your email address. re: WWWC as an OAUTH Server
  Rick Strahl
  Michael B
  Jan 16, 2020 @ 11:59am

Can it be done with Web Connection? Pretty sure it can. Is going to be easy? No... oAuth requires a bunch of low level message semantics, token creation and security related message encryption etc. which you would likely integrate via .NET (with wwDotnetBridge).

I don't know exactly what's involved but there's a reason why there are dedicated applications that provide that sort of functionality - it's not a small job to get this right, plus the specs are confusing with all the back and forth messaging. And even then it seems each oAuth implementation tends to be slightly different in naming and integration with other tools.

Possible perhaps, but probably not worth the time and effort to get it right.

+++ Rick ---

© 1996-2020