dev:app_authentication_example
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
dev:app_authentication_example [2016/04/18 15:56] – su | dev:app_authentication_example [2016/04/21 17:04] – su | ||
---|---|---|---|
Line 2: | Line 2: | ||
All Apps must authenticate through the App Store OAuth2 Authorization Server. | All Apps must authenticate through the App Store OAuth2 Authorization Server. | ||
+ | |||
+ | [https:// | ||
+ | |||
+ | OAuth is used extensively on the web already: if you have ever logged into a 3rd party web site using your Facebook, Google, or LinkedIn account, you have already used OAuth. | ||
+ | |||
+ | In addition to using LinkedIn' | ||
Below is a simple example illustrating the [[https:// | Below is a simple example illustrating the [[https:// | ||
Line 8: | Line 14: | ||
- | === 1. Registering your Web App === | + | ==== 1. Registering your Web App ==== |
- | == 1.1 Redirect URIs == | + | In order to use the App Store OAuth service, an application must be registered with the App Store. |
- | When registering your App, you will be asked to provide one or more valid Redirect URIs. The Authorization Server will only respond to HTTP requests from registered URIs. This helps prevent [[man-in-the-middle attacks|https:// | + | === 1.1 Redirect URIs === |
+ | |||
+ | When registering your App, you are asked to provide one or more valid Redirect URIs. The Authorization Server will only respond to HTTP requests from registered URIs. This helps prevent [[https:// | ||
Since the HTTP request carries secure information, | Since the HTTP request carries secure information, | ||
- | == 1.2 Application Id and Secret Key == | + | === 1.2 Application Id and Secret Key === |
Upon App registration, | Upon App registration, | ||
Line 23: | Line 31: | ||
The Secret Key, however, **must** remain confidential. It should only be used server-side (i.e not in the web-browsing client). If a deployed app cannot keep the secret confidential, | The Secret Key, however, **must** remain confidential. It should only be used server-side (i.e not in the web-browsing client). If a deployed app cannot keep the secret confidential, | ||
- | == 1.3 Application Status == | + | === 1.3 Application Status |
Your registered App is given a status. Be sure this is not active until you are satisfied it is fully tested. Once an App is " | Your registered App is given a status. Be sure this is not active until you are satisfied it is fully tested. Once an App is " | ||
+ | |||
+ | === 1.4 Scopes === | ||
+ | |||
+ | OAuth permissions are known as scopes, and are used to control which information about a user an application can access, or restrict the actions that the application can perform on behalf of a user. | ||
+ | |||
+ | When a user is prompted to log into a web site via an OAuth service, the scopes are explained to the user so that they can decide whether or not to proceed. | ||
+ | |||
+ | The App Store' | ||
+ | |||
+ | * **UserInfo** - used to allow an application to access information about a user | ||
+ | * **AccountDebit** - used to allow an application to bill a user for usage | ||
+ | * **DataRead** - used to allow an application to access a user's App Store Connect data | ||
+ | |||
+ | Applications are not obliged to ask for access to all of the above scopes; they can pick and choose the scopes that they require. | ||
- | === 2. Authorization === | + | ==== 2. Authorization |
In your App, create a "Log In" link sending the user to: | In your App, create a "Log In" link sending the user to: | ||
Line 75: | Line 97: | ||
</ | </ | ||
- | === 3. Authenticated Requests === | + | ==== 3. Authenticated Requests |
Now that you have an access token, you can make requests to the App Store API. You can make an API request using cURL as follows: | Now that you have an access token, you can make requests to the App Store API. You can make an API request using cURL as follows: |
dev/app_authentication_example.txt · Last modified: 2017/11/21 16:46 by su