Development/OAuth2: Difference between revisions
(Created page with "OAuth2 is a protocol that lets external applications request authentication of the user and authorization to perform actions using the [[Development/XML_Web_Service/Version_2|...") |
No edit summary |
||
Line 5: | Line 5: | ||
=== Registering an application === |
=== Registering an application === |
||
All developers need to [ |
All developers need to [https://musicbrainz.org/account/applications register their application] before getting started. A registered OAuth application is assigned a unique Client I and Client Secret. The OAuth protocol recognizes two types of applications: |
||
# Confidential - Applications that can keep secrets. Typically web applications, running on a server. |
# Confidential - Applications that can keep secrets. Typically web applications, running on a server. |
Revision as of 20:47, 26 October 2012
OAuth2 is a protocol that lets external applications request authentication of the user and authorization to perform actions using the web service on their behalf without getting their password. It is an alternative to HTTP Digest Access Authentication that MusicBrainz currently uses.
Basic steps
Registering an application
All developers need to register their application before getting started. A registered OAuth application is assigned a unique Client I and Client Secret. The OAuth protocol recognizes two types of applications:
- Confidential - Applications that can keep secrets. Typically web applications, running on a server.
- Public - Applications that have their code exposed to the public and therefore cannot keep secrets. There are typically installed desktop applications or web applications running in the browser.
Client Secret assigned to Confidential applications should not be shared. This does not apply to Public applications, in which case the assigned Client Secret is not treated as a secret and can be embedded in the application code.
Obtaining access token
...
Using access token
After an application has obtained an access token, it may use the token in the web service to get user details or submit data to MusicBrainz on the user's behalf. There are two types of access tokens:
- Bearer - Very easy to use, but can be used only over HTTPS.
- MAC - Requires requests to be signed with a secret, but can be used over both HTTP and HTTPS.
Refreshing access token
Access tokens have a limited life-time. During the authorization process, application receives a refresh token, in addition to the first access token. This refresh token allows applications to obtain new access tokens.
Authorization
...
Access token usage
...