I need to know how to handle protected resources with OAuth 1.0a.
I have read the official documentation and seen some implementations but there some points I need to clarify.
1) At this point the Consumer has an approved Access Token linked to a user and the Provider server validates it.
- What would happen if the Access Token is invalid?
- What kind of status code would the Provider server issue?
- If this happens should the Consumer server redirect the user to screen where he can authorize another Token?
2) If the validation of the Access Token is correct, the Consumer and the Provider will exchange information. For example the Consumer will ask the email address of the user and the Provider will provide it.
- What protocol should be used to exchange this information? (Json?)
- Should this information go in the body of the response or in another place?
3) Following the standard should the Access Tokens and the protected information provided be persisted by Consumer server.
Thanks
You probably should have linked the official documentation. But in any case, here are quick answers to your questions.
As per RFC 5849, a Provider should return a 401 (Unauthorized) status code in cases where any of the supplied tokens are invalid.
The term their should have been
can, and notwill. The spec does not mandate any particular information that is required to be transmitted between Provider and Requestor once authentication is complete. This determination is entirely up to the application providerOnce again, there is no requirement mandated by the specification. However it is common practice to store the access tokens retrieved from the Provider. I am not a lawyer (IANAL), but note that saving data retrieved from the Provider, into a third party system, may violate the law.