I am interested in developing RESTful JSON data APIs using Sinatra, and the HTML5 / JS application uses this data API. Obviously, the data API needs some form of authentication so that the Joe user can access their own content through the API. It would be nice if I could not overturn my own authentication and instead rely on Google / Facebook / Twitter to be an identity provider.
I learned OAuth2 using Omniauth, and I can easily connect this to traditional web applications, but when we talk about protecting the JSON API with FB / Twitter / Google, my understanding breaks because:
- The API should not be what the redirects do for the OAuth2 stream, right?
- When the callback data from the identity provider arrives, it will probably get into the HTML / JS application, right?
Another twist would be if I ever wanted to provide third-party developers with an API through mechanisms not related to the website; OAuth2 redirects business flow, of course, will not work here.
So, all of the above, I would have an architecture that looks like this:
[ HTML/JS client ] --- [ JSON API ] [ FB/Twitter/Google ] | | [ Developer ]
In fact, what I need is what is here, except that it is only for Rails:
Any pointers for this with Sinatra? Please use some specific examples.
source share