This video tackles the authentication problem in REST APIs on behalf of users and gives an overview of OAuth, an open standard for authentication.
- [Narrator] Hello and welcome to section two consuming a RESTful API. In the previous section, we learned what a RESTful API is, and how it is implemented over HTTP. In this section we will use Twitter's API to implement a log in flow, and to access a user's Twitter data. We are going to use at authentication in REST API's, namely, we will use OAuth 1.0A to implement a sign in using Twitter functionality. We will use Twitter's REST API to retrieve a user's friends.
Finally, we will save the user's Twitter data to MongoDB using MongoDB's node.js module. Now, we move onto the first video of the section that deals with the OAuth 1.0A standard. By the end of this video, we will know the steps we need to take to allow users to use Twitter to sign into our application. In this video we are going to take a look at what OAuth is, and where it is used. We will learn about the three parties involved in OAuth, then we will look at the authentication flow that the parties must go through.
Finally, we will look at a real world example that uses a desired Twitter log in flow. What is OAuth? OAuth is an open standard for interacting with protected data. OAuth is what allows one application to access another application's data on behalf of a user, without asking for the user's password. For example, when we upload a photo on Instagram, Instagram can also post that photo to our Facebook or Twitter account. Instagram uses OAuth to access our accounts on the other applications.
OAuth is used for sharing data between services, just like Instagram can share photos on Facebook and Twitter. OAuth also enables signing in using other services, for instance, when we sign into an application using Facebook, we give that application access to our Facebook profile. This let's the application create an account for us using our personal information from Facebook. There are three parties involved in OAuth, the client, the server, and the resource owner. The client is an HTTP client that can make authenticated requests.
The application that we are building is considered the OAuth client, even though it may be an express server for the actual application. The server is an HTTP server that can accept authenticated requests. Twitter is considered the OAuth server. The resource owner is the user that has access to the protected resources on the server. The protected resources would be the user's Twitter data. Before the client is authenticated, the resource owner should be able to access the client and the server.
After the client is authenticated, the client will be able to access the protected resources on behalf of the user. In our case, our application will be able to read the user's Twitter data. Note that OAuth access acts in a single direction. In other words, the client has access to a server's data, but the server does not have access to the client's data. This diagram shows that authentication flow. It was taken from OAuth's official website. The first step toward authentication is asking for a request token.
The client asks the server for a request token, and the request, the client includes this consumer key or API key and uses the consumer secret to sign the request. The client also includes a call back URL the server will use later on. This is shown in step A. Once the server verifies the client, it sends back a request token and a secret key, as shown in Step B. The client then redirects the user or resource owner to the authentication URL on the server.
It includes the request token in the URL, so that the server can know which app it is authenticating. This is shown in step C. On a server's website, the user or resource owner is asked to log in and grant permission for the client to access the protected resources. When the client logs in, the server redirects the user to a call back URL that was sent in step A. The server includes a temporary token and a secret as shown in Step D. In step E, the client exchanges this temporary token for an access token.
Once the client gets the access token, it can use that token to access the user's protected resources. To summarize this process, there are three main steps that our client needs to perform. Ask for request token, get temporary credentials, and exchange them for an access token. To see things more clearly, let's take a look at a real world example. We will go to Disqus.com and click on sign up. Disqus offers signing up using Facebook, Twitter, Google plus, and plain old email.
Let's click on Twitter. As we can see here, Disqus has redirected us to Twitter's website. Behind the scenes, Disqus communicated with Twitter to get a request token. We can see the request token here. Let's sign in now, but before we do that, we are going to open the Chrome inspector to see the requests that are being made. Okay, let's sign in.
As we can see here, Twitter redirected us to the call back URL, passing in the temporary credentials. Behind the scenes, Disqus exchanged this key for an access token and got our name and profile picture from Twitter. In this video, we learned what OAuth is, how it works, and where it is used.
This Node.js course gives you an overview of a RESTful API and the logical steps of creating one. It explores three different APIs, focusing on their similarities and differences and how to effectively implement one. Instructor Saleh Hamadeh starts off by defining APIs, showing how they can be built on top of HTTP and listing the properties that make an API RESTful. Learn how to develop Twitter Notes, a sample web application that lets users leave notes for their Twitter friends. Use Twitter's API to implement a login flow and then design a web API. Additionally, get a closer look at several other real-world APIs, and learn some best practices to keep APIs secure, maintainable, and efficient.
- Identifying REST resources
- Setting up the development environment
- Consuming a RESTful API
- Creating an OAuth login request
- Getting an access token
- Saving data in MongoDB
- Building a RESTful API
- Testing user-perceived performance
- Looking at APIs in the real world
- Best practices for building RESTful APIs