I am creating an API (Restlet, GAE) and implemented OpenId for authentication and OAuth2 to protect access to the API. When testing this from a client web app that I built, everything is fine. When the user hits a part of the web app that wants access to the API, the user is asked to login via OpenId and then is asked to grant access to the web app to grab resources from the API.
However, I noticed that the web app doesn't know who the user is (!). All the web app has is an auth token. Thus, the web app can't say "Hello, username", since it doesn't know who the user is.
With Restlet technology, the authentication is essentially:
// Authentication code
OpenIdVerifier verifier = new OpenIdVerifier(OpenIdVerifier.PROVIDER_YAHOO);
verifier.addRequiredAttribute(AttributeExchange.EMAIL);
Authenticator au = new MyRedirectAuthenticator(getContext(), verifier, null);
While the following handles both authentication and OAuth2 authorization: // Authentication + OAuth code: OAuthParameters params = new OAuthParameters("2345678901", "secret2", "http://localhost:8888/v3/", roles); OAuthProxy local = new OAuthProxy(params, getContext());
Initially I was only using the "Authentication + OAuth" in my web app and the authentication was happening "invisibly" (as mentioned above).
I figured that one way around the "problem" is that if the web app handles the authentication "visibly". So I added the Authentication code to the web app. The flow looks the exact same to the user, but the web app is able to capture the user info (email) and all is fine. There doesn't seem to be any conflict with the "both" code either.
Another way around the problem is to add something to the API that would return the user info associated with an authToken (a la Twitter's verify_credentials).
My question: Is the approach I have taken reasonable? Should I use the Twitter approach instead? Or something completely different? (I am pretty new to all this stuff, so it is hard to figure out if I am choosing a solution that seems to work, only to hit a brick wall later on).
The short answer is that when a client web app gets permission to access OAuth resources on behalf of a user, the client web app isn't supposed to know anything about the user (login, password, etc.). If the client web app wants to know who the user is, it can provide authentication.
I have implemented the above scheme with Restlet and google app engine, allowing the user to authenticate to the resource server via OpenId and also adding Google Authentication for the web client app (just so it can give a "hello" message). All seems fine.