Safety queries from third-party services

The title probably does not reflect the essence of my stupor. And here is the problem: I download web engine based on the API. And all would be well, but came up a time when you want to work with API to other services(untested). The problem is that, after the registration on a third-party service, the user will be in danger, because saronni service will be able to perform any action from the user. Know what is OAuth, and the like, but I would like to make such a system. Can you tell me where to read?
October 3rd 19 at 02:20
4 answers
October 3rd 19 at 02:22
The service needs to do the query api.****.su/?token=***&method=***&data=*** the authorization by token. Another service goes to only the token, the username and password entered on the side of your website.

Read more all written in OAuth — it solves exactly this problem.
Will the source OAuth to dig. - judge.Litt commented on October 3rd 19 at 02:25
October 3rd 19 at 02:24
Let you have it authenticated, and third-party server, or sign data, or sent through a private channel.
Here's the problem, I don't know how to do it. In terms of signing. Maybe you know where about it is written in sufficient detail? - judge.Litt commented on October 3rd 19 at 02:27
Here's a simple example:
Authorization form leads to your domain
username, password, where to return (if you want the token that the life time of the request, etc.)
Check the data if everything is correct make redirect virus
send the receiving side the data:
username, hash = md5 ( username + salt only you and the receiving side)
The supplicant validates the name and checks the hash if the hash is correct it verifies that the user is who he is, if invalid return an error code.

I'm in a similar situation, the hash added the IP of the client, its user-agent, life time token and all the data was signed URL of the signer from MITM attacks - judge.Litt commented on October 3rd 19 at 02:30
October 3rd 19 at 02:26
Take OAuth 2 legged. A very simple solution based on pre-shared key (a shared password). There are libraries for both the client and the server. I have a pure php code (without using any) libraries are not weighed and 10 kilobytes.
October 3rd 19 at 02:28

http and your password into the GET? What kind of security there could possibly be discussed?

But in General, my advice is to listen to people, use existing solutions and not reinvent the wheel. Especially when his invention requires knowledge of safe interaction between the various services.
open password to GET
Data is sent in the POST. Just can and GET.

Yes, unfortunately, not https

use ready-made solutions
I would like not to get a result, connection of third-party libraries, but still to reach this and to make. Of course, not the best option for production, but still... - judge.Litt commented on October 3rd 19 at 02:31

Find more questions by tags Computer networksAPI