Home » Developers » Shapeways API » Could we have OAuth 2.0 with generic access tokens?
Search Search  
Show: Today's Messages    Show Polls    Message Navigator
Could we have OAuth 2.0 with generic access tokens? [message #69333] Thu, 06 June 2013 20:48 UTC Go to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
It's much simpler for many cases. bit.ly's API is a good example. They use OAuth 2.0 which uses SSL to guarantee security and all that's necessary for most requests is an access_token parameter. You can jump through the hoops of getting an access token for the end-user if you need to, but for applications that will only be using the application's user (the one that owns the app) it's much easier to just store a generic access token.

For example, the specific case that I'm thinking of is as follows:

The site myawesome3dprintingsite.com allows you to design awesome 3D models with just a few clicks by their users. To make money the site publishes the users' creations to My Awesome 3D Printing Shapeways shop, where the user can be directed to order it. There shouldn't be a need for an OAuth handshake in this example. myawesome3dprintsite.com should be able to have an access token stored on their server which would be provided to any Shapeways API calls. The end-user isn't involved until they are directed to an item on Shapeways, so an OAuth handshake isn't necessary.

Anyway, I think this sort of setup would allow more people to get off the ground faster. I bring up bit.ly because when you create an application there it provides you with an access token that you can immediately use to get up and running.


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69379 is a reply to message #69333 ] Fri, 07 June 2013 11:12 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
Hi jallwine,

We can add OAuth-2, or OAuth-3 when it arrives, side-by-side with OAuth-1.

OAuth-2 may look simpeler than OAuth-1 for specific use cases but it really is a much broader and more complex framework than OAuth-1.

Only a very limited subset of OAuth-2 may be considered simpeler than OAuth-1, but then the API would not really be OAuth-2 anymore as it is
not complete.

The generic access token idea can be used in OAuth-1 as well : in your example the myawesome3dprintingsite.com has its regular OAuth-1 Consumer
Key but also requests an Access Token. This is the generic access token.
The Access Token is used by myawesome3dprintingsite.com to upload its users' creations to the "My Awesome 3D Printing Shapeways shop" at
Shapeways. There is no OAuth exposure to the myawesome3dprintingsite.com users here.
Set the model upload to Shapeways to 'private' and use the secretKey which the API returns with which the user can get access to the model to order it.

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69388 is a reply to message #69379 ] Fri, 07 June 2013 13:06 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
Well, the idea would be that you wouldn't need to request it in code. You'd be able to just copy it from the same page that you copy the app key and secret and possibly even revoke it and get another one if needed. They you wouldn't really even need to know anything about OAuth, you could just make requests with your access token to use the API.

But anyway, since that's not an option currently, how does a server request an access key from Shapeways? Doesn't it still need to jump through the same hoops that a user would have to? So the server would make a request for an access token, it would get redirected to login and then asked for permission to allow the app access and then you'd finally have an access token? Or is there an end point that can avoid the redirect loop by logging in directly?


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69395 is a reply to message #69388 ] Fri, 07 June 2013 13:42 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
Hi jallwine,

Here's a workaround for you :
- Download the API reference clients from https://github.com/Shapeways/shapeways-api
- Save the Consumer Key you got from http://developers.shapeways.com/manage-apps and save it in php-pecl/consumer_key.php
- Use php-pecl/Authorize-oauth1-pecl.php to get an Access Token

Use this Access Token as a generic Access Token together with the Consumer Key in myawesome3dprintsite.com to use the Shapeways API.
The users of myawesome3dprintsite.com do not have to deal with anything OAuth and can order the models you uploaded to Shapeways for them (from myawesome3dprintsite.com) via the secretKey feature.

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69399 is a reply to message #69395 ] Fri, 07 June 2013 14:05 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
This seems like a security hole to me. Since the API isn't over SSL the access token and key is sent in plain text so then anyone who knows how to sniff packets could gain access.


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69403 is a reply to message #69399 ] Fri, 07 June 2013 14:54 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
Hi jallwine,

That is correct. Though the private key parts of the Consumer Key and the Access Token are only transmitted once ever, and in your case only between Shapeways and myawesome3dprintsite.com . The RFC has this to say on the matter "the server MUST require the use of a transport-layer mechanisms such as TLS or Secure Socket Layer (SSL) (or a secure channel with equivalent protections)." Securing this is on my todo-list. Here's more on OAuth1 security -> http://tools.ietf.org/html/rfc5849#section-4

Btw, you might be interested to know that Oauth-2 is considered less secure than OAuth-1 by the former OAuth-2 lead author, see http://en.wikipedia.org/wiki/Oauth#Controversy

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69405 is a reply to message #69403 ] Fri, 07 June 2013 15:07 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
Hm, well I'm not all that concerned with the specifics. I've just used OAuth 2.0 in the past and it requires SSL. If you feel OAuth 1 is better, that's fine by me, but adding SSL would make me feel a lot better! Any idea when that might get rolled out?


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69409 is a reply to message #69403 ] Fri, 07 June 2013 15:38 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
Also, I understand that the private key is only transmitted once, but does the access token need to be sent every time? And the access token gives a lot of permissions to anyone with it. So ideally, that would be transmitted over SSL.


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69410 is a reply to message #69405 ] Fri, 07 June 2013 15:38 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
Hi jallwine,

We're certainly looking into improving the security as well as the user and developer experience.
Adding a subset of OAuth-2 has always been an interesting option and I hope we do get to adding it.
The OAuth-1 generic Access Token procedure I described above should allow you to proceed. Right ?

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69411 is a reply to message #69410 ] Fri, 07 June 2013 15:40 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
Yes, thanks you! This will definitely get me started.


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69413 is a reply to message #69409 ] Fri, 07 June 2013 15:46 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
jallwine wrote on Fri, 07 June 2013 15:38

Also, I understand that the private key is only transmitted once, but does the access token need to be sent every time?


The Access Token consists of a public/private keypair. Only the public key is transmitted on every API request, together with the public key part of the Consumer Key. The private key parts are used to digitally sign the API call and the Shapeways server validates the signature on every request.
This is in fact much like how SSL/TLS works.

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69414 is a reply to message #69413 ] Fri, 07 June 2013 15:52 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
I'm not sure I follow what you're saying. If I sent you the access token that I just had generated and the consumer key of my app you would have complete access to the Shapeways API using my account. Don't I need to include both those in every request I make to the API in plain text?


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69421 is a reply to message #69414 ] Fri, 07 June 2013 16:39 UTC Go to previous messageGo to next message
avatar hans.lambermont  is currently offline hans.lambermont
Messages: 51
Registered: June 2010
Go to all my models
Member
I work here
Hi jallwine,

jallwine wrote on Fri, 07 June 2013 15:52

I'm not sure I follow what you're saying. If I sent you the access token that I just had generated and the consumer key of my app you would have complete access to the Shapeways API using my account. Don't I need to include both those in every request I make to the API in plain text?


No Smile Here's why : The Consumer Key consists of a public part and a private part. Once myawesome3dprintsite.com has them it will never expose the private part to anyone. The Access Token also consist of a public part and a private part. Also for the Access Token once myawesome3dprintsite.com has them it will never expose the private part to anyone The private parts are only used to digitally sign the entire API request, that is it calculates a signature string of the API call with them and adds that signature string to the API call. So the private part of the Consumer Key and of the Access Token stay 'private' at myawesome3dprintsite.com . I hope this helps. If not feel free to ask new quesions Smile

-- Hans
Re: Could we have OAuth 2.0 with generic access tokens? [message #69422 is a reply to message #69414 ] Fri, 07 June 2013 16:41 UTC Go to previous messageGo to next message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
I think I'm just stuck in an OAuth 2.0 mindset. I'm used to just forming my own GET requests than I can easily test just by going to a given url in a browser or REST client. With OAuth 1.0 I guess I'm stuck using an OAuth client?


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com
Re: Could we have OAuth 2.0 with generic access tokens? [message #69423 is a reply to message #69422 ] Fri, 07 June 2013 17:09 UTC Go to previous message
avatar frknsweetknots  is currently offline frknsweetknots
Messages: 21
Registered: March 2011
Go to my shop
Junior Member
Alright, I found a chrome app called Postman which can do the OAuth signature calculations for quick debugging. I'm up and running! Thanks Hans Smile


Freakin' Sweet Knots - 3D printed woven jewelry http://freakinsweetapps.com

 
   
Previous Topic:Looking for experienced programmer to design app (webgl, java) for web and mobile
Next Topic:Convert Inventor Files

Logo

Hello.

We're sorry to inform you that we no longer support this browser and can't confirm that everything will work as expected. For the best Shapeways experience, please use one of the following browsers:

Click anywhere outside this window to continue.