[OAUTH-WG] 37signals ships draft 5 of the web server and user agent flows

Wed, 19 May 2010 15:14:21 -0700 

Sweet!

http://groups.google.com/group/37signals-api/browse_thread/thread/86b0da52134c1b7e


> OAuth 2 is a standard way for third-party apps to get authorized access to
> a user's account without needing to copy/paste API keys or ask users for
> sensitive usernames and passwords.


> We've added OAuth 2 directly to 37signals ID, so your apps can authorize a
> 37signals ID once then access any of its accounts on any product.


> The typical flow for a web app:

  1. Your app requests authorization by redirecting your user to Launchpad:

      https://launchpad.37signals.com/authorization/new?type=web_server&cli.
> ..

  2. We authenticate their 37signals ID and ask whether it's ok to give
> access to your app.

      Example of what this screen looks like:
> https://launchpad.37signals.com/authorization/new?type=web_server&cli...

  3. We redirect the user back to your app with a time-limited verification
> code.

  4. Your app makes a backchannel request to redeem the verification code
> for an access token: POST
> https://launchpad.37signals.com/authorization/token

  5. We authenticate your app and issue an access token.

  6. Your app uses the token to authorize API requests to any of the
> 37signals ID's accounts.


> To get info about the 37signals ID you authorized and the accounts you have
> access to, make an authorized request to
> https://launchpad.37signals.com/authorization.json (or
> /authorization.xml).


> OAuth 2 implementation notes:

  * Start by reading the draft spec at
> http://tools.ietf.org/html/draft-ietf-oauth-v2 and trying the client
> libraries at http://wiki.oauth.net/OAuth-2

  * We implement draft 5 and will update our implementation as the final
> spec converges, so be prepared for changes along the way.

  * We support the web_server and user_agent flows, not the
> client_credentials or device flows.

  * We issue refresh tokens. Use them to request a new access token when
> yours expires (2 week lifetime, currently).

  * We return more verbose errors than what's given in the spec to help with
> client development. We'll move these to a separate parameter later.


> Register your app at https://integrate.37signals.com to get started!

-- 

Jeremy Kemper

37signals

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to