I’ve created a custom OAuth provider using oauth-plugin. I’d like to create a provider API that gives access to user data, but I’m not sure how to properly construct the API query.
I’ve noticed that several Omniauth strategies, including Twitter, Linkedin, and Vimeo, access user data from their respective APIs via access_token.get, but these calls to the API seem to be generic, rather than specific to a particular user.
Does something within the access_token.getcall identify the user to the API? If not, how is the user discerned?
In 3-legged OAuth, the access token identifies and belongs to the user.
I wrote a blog post for using oauth-plugin with rails to create an OAuth provider.
If you follow my tutorial and use
oauthenticate :interactive=>falseto protect your API, then you will have access to the current_user method which will allow you to treat the user as if they are logged in.You can read the formal spec at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-23 Section 4 is related to authentication and is fairly readable.