xAPI-Spec icon indicating copy to clipboard operation
xAPI-Spec copied to clipboard
verified publisher icon adlnet

Clarification on oAuth implementation

Open bradwilladsen opened this issue 7 years ago • 1 comments

We are looking to implement oAuth 1.0a into our LRS and I would like for someone to verify my understanding of the spec.

  • The table outlining the various scenarios for oAuth support here seem to imply both 3 legged (Known user) and 2 legged (Unknown user) oAuth implementations. Is this correct? If so, the LRS only needs to support one of these methods to be compliant?
  • The No Application/Known user is really just Basic auth, and has no relation to oAuth.
  • The User Unknown/Application Is Registered section is confusing with the "OAuth token steps are not invoked". Can I get more clarification on what this means?

The endpoints outlined here appear to be specific for a 3 legged implementation. Can someone clarify my interpretations of these endpoints?

  • The endpoint /OAuth/initiate provides an application token (even though it says temporary token) for a specific consumer key.
  • Once you obtain your application token, call /OAuth/authorize with your scopes as query parameters, and an authorization header outlining the user credentials to generate a new authorization token. This new token should be persisted in some fashion as it contains the relationship between this user, token and their scopes.
  • To obtain a token to access the LRS, call /OAuth/token with an authorization header to generate the token (that probably has some sort of expiration on it) with the authorization token from the previous step (/OAuth/authorize). This token also needs to be persisted for the protected resource so it can verify the signature.
  • The LRS (protected resources) verifies the signature from the request using the token information that was persisted in previous request (/OAuth/token)

Thanks in advance!

bradwilladsen avatar May 23 '18 13:05 bradwilladsen

@bradwilladsen based on the call, it sounds like you're likely trying to integrate with a customer of ours, so it makes sense for us to take this off of GitHub and presumably set up a thread or meeting with our mutual customer to work through this. You can email me at [email protected]

bscSCORM avatar Jun 06 '18 18:06 bscSCORM