I've been using the Facebook Graph API (uses oauth 2.0 for authentication) successfully for a while now. I now need to write my own API which allows developers to connect to it in a similar fashion. I've looked into various libraries but i'd like something a little leaner so i've decided to roll my own. Looking at the code i have to authenticate a user on facebook it looks relatively simple but please correct me if i'm going off track.
First i would need to provide a secure page which the consumer would need to redirect to. eg https://api.mydomain.com/oauth/authorize?client_id=CONSUMER_KEY&redirect_url=CALLBACK_URL. The user would verify the application then i would redirect back to the url provided in the callback url with the oauth_token in the query string. I suppose i could just generate a random unique string here for the oauth_token and store it against the user for this particular consumer (EDIT: Please see the answer below, this should be unique for each consumer application and not the user).
That's step 1 out the way. I now need to provide a second secure page which the consumer would trigger a web request to. eg https://api.mydomain.com/oauth/access_token?client_id=CONSUMER_KEY&client_secret=CONSUMER_SECRET&oauth_token=OAUTH_TOKEN_RETURNED_ABOVE. This would allow the consumer to exchange the oauth_token returned above for an access token. I would again simply generate a random unique string and store it against the user for this particular consumer.
Now my API would accept the access_token for methods which try to grab information specific to the user who is using it.
I'd like to know if i've understood things correctly. The OAuth 2.0 spec seems extremely trivial if that's the case. Also why do we have to exchange the oauth_token with an access_token? I have my own idea but i'd appreciate it if someone could help clarify this.
I'd really appreciate your feedback as i don't wish to go ahead and waste hours implenting this when it's completely wrong.
Thanks
Actually protocol flow diagrams would be extremely helpful for visualizing specs like that of OAuth 2 but there are only some partials works out there. As I've just implemented a client-side only OAuth 2 library, I can verify that you're on the right track. But here is a catch:
oauth_token belongs to your client application (i.e. a desktop facebook reader) which authenticates your application (just like an ID). You submit this to get back a access_token, which is specific to your application and logged in user, which allows you to access restricted resources related to the user.
Here is a basic desktop app authentication process (taken from: http://developers.gigya.com/020_Developer_Guide/85_REST/OAuth2)
Actually a flow digram with timeline (from top to bottom, taken from: http://www.ibm.com/developerworks/web/library/wa-oauthsupport/?ca=drs-)
And finally the full procedure is: (taken from http://h2anetwork.org/ProjectDocs/DPI/DPI_Framework.html)