Example for two-legged authentication

Question

Example for two-legged authentication

Opened this issue 11 years ago · 4 comments

Some services like Yahoo YQL for example, support making OAuth authenticated queries from server to server without user interaction or any concept of opening a webpage. Does kQOAuth support this, and if so, is there an example anywhere of how to use it in this way?

Answer 1 · 2014-01-18T04:40:55.000Z

kQOAuth should be generic enough to support any kind of OAuth transactions. That said, I am not directly familiar with Yahoo YQL. Do you have any docs that I reference for more information?

But I don't then quite understand how the user authentication part would work. At some point should the user log in with his/her username and password. Normally this happens using a web browser. The whole point is that the initiating party of the OAuth authentication (kQOAuth in this case) should never know the user's real username nor password. So how would this work with Yahoo YQL?

Answer 2 · 2014-01-18T05:26:38.000Z

I'm not an expert on OAuth but it is confusing to me as well. Here is the general documentation for YQL:

http://developer.yahoo.com/yql/guide/

In my case I'm using it to retrieve stocks/finance info. This page says there are two URLs you can use to retrieve the data: http://developer.yahoo.com/yql/guide/yql_url.html

The first URL is the public one that does not require OAuth, but has a small limit of 2,000 requests per hour, which is not enough to track stocks in real-time (1 request per second = 3600/hr), so they have an OAuth authenticated URL you can use that has a 20,000 req/hr limit. This is where I get confused.

I thought normally OAuth was only used with end-users in mind (e.g. logging into web services from other applications and giving it access to your information, like for example twitter posts or flickr images), however these pages seem to say that Yahoo also supports server-to-server communications without an end user:

http://developer.yahoo.com/yql/guide/authorization.html
and
http://developer.yahoo.com/yos/glossary/gloss-entries.html#two-legged-authorization

In my case there is no end-user (two-legged authorization), because my application retrieves stock info and stores it in a database without ever having any human interaction at all. In fact there is not even a username or password, I am just accessing their API from a headless server, which they want OAuth authentication for to extend the daily query limit.

Hope this helps.

Answer 3 · 2014-01-18T10:02:04.000Z

Ok, I wasn't familiar with the term 2-legged OAuth, but I read this blog post which hopefully explained it to me: http://blog.nerdbank.net/2011/06/what-is-2-legged-oauth.html

As far as I understood it, it's nothing more than executing the first and the third authentication requests of the OAuth flow, leaving the second one out (which is the user logging in to the system).

You should already have your consumer key and consumer secret from Yahoo. Then, looking at the Twitter example of kQOAuth, you do

oauthRequest->initRequest(KQOAuthRequest::TemporaryCredentials, QUrl()) as here https://github.com/kypeli/kQOAuth/blob/master/examples/twittercli/twittercli.cpp#L58;
When that request finishes, you get the temporary token and secret as a response. Then you need to get the access token, and if I understood this 2-legged OAuth correctly, because you are automatically "authorized" you can do this with a similar kind of request as how I send my a tweet in my example: https://github.com/kypeli/kQOAuth/blob/master/examples/twittercli/twittercli.cpp#L132. You need to know the endpoint of course. The token and the token secret were the values you got as a response in the previous request.

When this request finishes, you get your access token and secret as response that you will use to query for your final data. You query for the final data with a similar request as you just did when asking for the access token, but replace the token and token secret with the new access token values.

This is just a guess based on the blog post, so I haven't actually tested this :) But as the blog post explains, 2-legged OAuth is normal OAuth, and if this is the case, kQOAuth should be able to handle it.

That said, looking at the code (that I wrote several years ago), it's not the most generic, so this is not a clean solution...

Answer 4 · 2014-01-18T16:23:54.000Z

I was able to get it working (albeit not using KQOAuth) by reading this page: http://developer.yahoo.com/forum/OAuth-General-Discussion-YDN-SDKs/OAuth-two-legged-documentation-omission-/1253773254000-104aac85-a511-3985-87b8-36f430730ca4

Apparently YQL wants a 'zero-legged' oauth. I just created a signature as if I was going to request a temporary token, but the URL I used was the actual YQL request I want to make, no actual token was involved or even passed to the server.

If you know of a way this can be done with kQOAuth I would appreciate any advice you have.