Before diving into actual development of code let us revise what OAuth is and what is the difference between version 1.0 and 2.0.
OAuth stands for Open Authorization and was released in 2007. Since it’s release, it has become a mainstay in web services and social sites arena. Led by giants such as Facebook and Twitter, adoption of open authorization has spread like a fire. At its core OAuth is based on simplicity to the users but nightmare for the developers. It allows users to authenticate 3rd party apps without disclosing their passwords. Users can always revoke the authentication. Thus any application can invoke other application’s API which is mostly RESTful web service returning XML or JSON. But in order to make invocation successful, the calling application must have been registered with the service it is calling and send the required tokens and digital signature (version 1.0) with the request.
Debate over OAuth 2.0
Version 2.0 specification does not require digital signature at all. This has made the life of developers much easier but has compromised security (in my view) and caused a huge controversy. It does require SSL to secure tokens being sent over network though. Personally I prefer 1.0 for it’s security.
Now let’s start developing for version 2.0.
Initial steps and house keeping
As mentioned earlier, we must register with the service we intend to invoke. Facebook uses version 2.0 while Twitter and LinkedIn are based on version 1.0. Let us start with Facebook and register at https://developers.facebook.com/apps.
Once the app is registered with Facebook, Facebook creates unique App Id/Consumer Key and Consumer Secret Key. We need to save the consumer key and consumer secret key somewhere along with some other information such as URLs to authorize, authenticate and make API calls. I am going to create a custom object to store this important information. Custom object will be called OAuth_Service__c with following fields and corresponding values:
Service Name : Facebook,
AccessTokenUrl__c Text(255) : https://graph.facebook.com/oauth/access_token, //provided by facebook
AuthUrl__c Text(255), //Used for version 1.0
CallBackURL__c Text(255): https://c.na2.visual.force.com/apex/Authservices, //VF page.
ConsumerKey__c Text(255): 981657716937450, //Fictitious but provided by Facebook in real life
ConsumerSecretKey__c Text(255): bb756kkk674s7709d50998c7, //Fictitious but provided by Facebook in real life
ReqTokenUrl__c Text(255) : https://www.facebook.com/dialog/oauth, //provided by facebook
OAuth_Version__c Text(10) : 2.0
We will discuss the use of call back URL and visual force page in details while looking into the authentication flow in the next blog.
If interested follow my twits for alerts.