Vote count:
0
I've researched OAuth2 the last couple of days, but there's one thing I can't wrap my head around.
I'm planning at having my API (resource server) at api.example.com and my authorization server at example.com (http://ift.tt/PdEoyW, http://ift.tt/1jxwxrh).
The plan is to have:
- a web client
- a mobile app
- and potentially allow 3rd party access to the api through the Code Grant.
with the API being the center of all this.
At the same time, I'd like to host the web client also at example.com. To my understanding, the authorization server needs to authenticate the resource owner before it authorizes by making the resource owner grant access to the client.
Now, I'm guessing I would have to do some kind of session/cookie based authentication to remember the resource owner, so that if he'd visit through a 3rd party client, he wouldn't need to login if he was logged in through the web client at example.com.
Now to the real question: how do the web client at example.com consume the API at api.example.com on the resource owners behalf? Does the authorization server (still at example.com, same as the web client) have to juggle both some OAuth token to interact with the API and some session/cookie login, to make sure that the user doesn't have to login again to authorize a 3rd party client if he's already logged in to the web client?
Would it be smarter to move the authorization server to a separate instance, e.g. auth.example.com? If so, how would that work out in regard to both the web client and 3rd party clients (as in, if the resource owner is logged in to the web client, the resource owner doesn't have to login to grant access, because he's already logged in?
I hope my question comes out clear enough for an answer. I'll be implementing it in PHP, but my question for the sake of it is not language specific.
Aucun commentaire:
Enregistrer un commentaire