What OAuth protocol is this API using and is there a standard OAuth Library I can use to authenticate with it?

0
votes

I have come across this private API that authenticates using OAuth API (Not sure what version or flavor of OAuth it is). My working knowledge of OAuth isn't that great so I need some directions to sort this out.

Here's how I was able to to test it manually using Postman/Advance Rest controller Chrome extensions and make a successful query to access a protected resource.

Step 1. Made a POST request to the OAuth Service URL with specific headers. The response includes the OAuth token

Authorization:OAuth oauth_consumer_key="<<key>>",oauth_signature_method="PLAINTEXT",oauth_signature="<<secret>>%26"

Here's an example response format. The response includes the OAuth token and the Oauth token secret (Both of which I need to use to access the protected resource in the next step)

oauth_token=<<token>>&oauth_token_secret=<<secret>>&oauth_session_handle=JN-eMMx1z_Tpy3sFrgzVsssF9Y_pyJaE&oauth_expires_in=3600&oauth_authorization_expires_in=86400

Step 2. Make a POST/GET request to the protected resource after setting the Authorization header with Key, Secret and OAuth token 

Authorization:OAuth oauth_consumer_key="<consumerKey>",oauth_signature_method="PLAINTEXT",oauth_signature="<consumerSecret>%26<oauth_token_secret>",oauth_token="<oauth_token>"

Now, Here are my questions:

What version of OAuth is this API using?

Is there a standard OAuth client library that does the authentication and lets me query for protected data without me having to manually construct the POST call with headers like above, get the token (by parsing the response and extracting the token), make another POST/GET manual call with another formatted header to access the protected resource? If so how?

I tried scribe-java and extended the DefaultApi20.java but I can't get it to work. Then I wondered if I understand the API version properly. Because this private API gives me just one URL to get the token. Not sure what Authorization URL, Request Token URL & Access Token URL are in this context.

I even tried looking at the Google oauth client library for Java but I can't find an example using it that fits my context. Any help understanding this is appreciated.

1
javaauthenticationoauth
doing a google search for those parameters seems to point towards oauth 1.0...jtahlborn
@jtahlborn Thank you. Are you able to find any standard oauth client libs for java to do the auth?user6123723
there are java libs for oauth 1, yes.jtahlborn
@jtahlborn Would you mind posting an example that gets the protected resource in two steps? First call to get the token, the second to query the resource?user6123723

1 Answers

0
votes

You're using OAuth 1.0. The Scribe library is the way to go with Java: https://github.com/fernandezpablo85/scribe-java. In your case so-called 2-legged authorization is what it needs to do. Here's sample code for 2-legged OAuth 1.0 with Scribe: http://enrico.sartorello.org/blog/2013/08/2-legged-oauth-java-client-made-easy/