Implementing OAuth
OAuth – retrieving an access token
OAuth uses a per-organisation shared secret/access token combination, which prevents access from unauthorised parties. The OAuth service uses version 1 of the OAuth standard. You should choose a suitable OAuth library for your desired programming language.
There are three steps involved in getting an access token. This is normally handled by your OAuth library:
1. Get the request token.
2. Users manually grant access.
3. Exchange request token for access token.
In OAuth there can be three different end points one for each of the above steps. We implement the three end points with the same URL: http://signin.esd.org.uk/oauth.handler
Before you can get an access token for your application you need to set up an application key and secret. Note you should never expose your consumer secret.
Use the instructions detailed in your chosen OAuth library along with the application key, secret and above end point URL to get the access token. Your server must be within a couple of minutes of the current time, otherwise the tokens will not work.
OAuth – accessing the web services
Once you have retrieved the access token as described above you can use it to access the web services. Your library should provide a method that creates an authorised request. This should accept the access token and automatically add all the required OAuth parameters to your request. These parameters will be read by the web service and used to grant access as well as provide any user specific information.