I didn't quite get the idea of having different consumer keys for each user.
According the OAuth Spec Consumer is a site, known by Service Provider.
So it is wrong if each user has its own Consumer key, imho.

Comments

vladimir.dolgopolov’s picture

vladimir.dolgopolov CreditAttribution: vladimir.dolgopolov commented

I investigated oauth_test module and I run into the issue:

0) Setup 2 Drupal sites: Service Provider with Web Services and OAuth enabled, and Consumer with OAuth and oauth_test enabled. Don't forget to adjust settings on Consumer in 'admin/settings/oauth_test' to Service Provider's domain.
1) Create 1 user ('foo') on Consumer and 2 users on Service provider ('harry' and 'ron').
2) At Consumer 'admin/settings/oauth_test' set 'Consumer information' from 'harry'.
3) Logout from Service Provider
4) Login as 'foo' to Consumer
5) Click "OAuth test 1 - Token Request" ('oauth_test/request') and click 'Integrate with an external service?'
6) Here enter login/password from 'harry' (BTW here we can login as any user, so using Consumer key for each user is completely unclear for me)
7) We are redirected to 'OAuth test 2 - Token Access' and see keys.
8) Click 'OAuth test 3 - Web Service'. I see here user information for 'ron' instead of 'harry'.

My opinion is to remove binding an user and Consumer keys.
Probable I didn't get the idea and I'll happy if anyone explain me the one.

vladimir.dolgopolov’s picture

vladimir.dolgopolov CreditAttribution: vladimir.dolgopolov commented

I suppose it's a Cool-Auth related stuff.

brmassa’s picture

brmassa CreditAttribution: brmassa commented
Status: Active » Fixed

Vladimir,

thanks for your interest! I think you didnt get the point. Lets see if i can help.

Consumer is the SITE which will operate in behalf of an user. And Consumer key is the "key" that site admins/owners must have in order to communicate their site with the Provider.

But how the PROVIDER will know who might get one Consumer key for their sites? Simple, only Drupal users with a given permission might have a Consumer key and use it in their own sites.

So, "ron" can operate on Provider site in behalf of "harry". Ron should use the Consumer key on his site and harry should go there and like on "Exchange information with Provider site" button or whatever, login on Provider site and authorize the Consumer site to operate.

summary:
* Consumer key is related to a site, yes. BUT we can assume that the we can link it to the site owner/admin.
* The site owner must be a Provider (a Drupal site with WS and OAuth modules) user.
* The final user must also be a Provider user, of course.
* The final token will identify the SUM of 4 items: final user, consumer (or Provider user that operates that Consumer site), services allowed and time.

i dont know if im clear. feel free to ask again. (im marking it as fixed, but you can change as you wish)

regards,

massa

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

xell’s picture

xell CreditAttribution: xell commented

This issue seems to be quite old... but actually I have the same question here...

Thanks for brmassa's explain, here is my opinion:

But how the PROVIDER will know who might get one Consumer key for their sites? Simple, only Drupal users with a given permission might have a Consumer key and use it in their own sites.

I would say to use Drupal User is of course one solution, but it does not have to be the only one.
I think OAuth module can provide a registration interface - in which any Application (or say any Application owner) can register itself and get a pair of keys.