The OAuth Administration Steps

In my last blog I summarised the point of OAuth as the need for your application to get hold of an Access Token so that it can access your user’s private data from a Software as a Service (SaaS) provider’s website such as Twitter or Facebook without the need for your users to give your application their credentials.

This blog takes a look at the setup steps necessary for this hypothetical application to become OAuth compliant and when I say “setup steps”, at this stage I’m merely talking about a boring administration step that you must complete, but don’t worry as there isn’t that much to it.

Before you can get hold of that prized Access Token, you have to get the SaaS provider, such as Twitter, to give your app permission to request the token from its OAuth server. To do this you need to:

1. Setup a user account with the SaaS provider. Most people already have their own Twitter, Facebook or Sina Weibo account, but in this case you generally need to create one on behalf your company or client.
2. Once you have an account you need to go to the appropriate page and find the link that usually says something like “Create new App”. Although it’s not usually put in these terms, what you’re actually doing is registering your application as a user of the SaaS providers OAuth service and what you get in return is something like a user name and password for your app. The application’s username is generally referred to as a key whilst its password is referred to as a secret; however different SaaS providers use slightly different names. For example: Facebook calls them the App ID / App Key and App Secret; Twitter calls them the Consumer Key and Consumer Secret; and Sina Weibo calls them the App Key and App Secret.

What do app keys and secrets look like? In reality, they’re just simple strings, for example the app key and secret for the Spring Social Demos are:

Sample Facebook App ID:      669df6cc9b11c3226b2f3e31b083acb2
Sample Facebook App Secret:  516af1d8f60e8f6364fddca8f0bc46bf

The app key is used to identify your application to the SaaS’s OAuth server, whilst the app secret is used to verify an authorization code that’s part of the OAuth 2 process, but more on that later.

Finally, just as a reference, you can use the links below to register your application with the following providers.

• Facebook: https://developers.facebook.com/apps
• Twitter: https://dev.twitter.com/apps/new
• Sina Weibo: http://open.weibo.com/apps
• LinkedIn: https://www.linkedin.com/secure/developer
  

...and there's still more to come on OAuth and Spring Social...