Announcements (#16) - OAuth in .tel (#237) - Message List
Hi all, this is an initial announcement for OAuth support in .tel TelHosting. More detailed documentation and samples to come later.
The TelHosting Software will support Open Authentication Web Resource Authorization Protocol (OAuth WRAP) to provide a mechanism for 3rd party client applications to manage data in .tel domains on behalf of their owners safely and securely.
OAuth is often compared to a valet key, where the .tel owner can grant access to their .tel domain for a 3rd party service. The service authorized via OAuth operates on the .tel according to the provided level of access until the permissions run out, or until the .tel owner revokes access.
From a .tel owner’s perspective, OAuth is a secure way of benefitting from a 3rd party service without the need to provide their CTH credentials. The owner can review the list of currently authorized services via the Settings in the .tel control panel, and revoke access for any service at any time. If a domain is transferred to a different registrar, any 3rd party services will need to be re-authorized to operate on the domain.
For a .tel service developer to start using OAuth in .tel, they need to:
1. Apply for a client ID with Telnic.
To offer an OAuth-based service, the developer needs to apply at dev@… to be added into the list of OAuth-based client applications. Telnic will assess the functionality and reliability of the service. At the time of writing, there are no rigid requirements for successful applications, but the service obtaining OAuth access would need to be useful and beneficial for community, stable, reliable and secure. Successful candidates will gain access to a sandbox CTH instance with corresponding user credentials, as well as a Client ID for the service.
2. Implement the OAuth authentication procedure.
Once the sandbox is setup, the developer needs to implement the OAuth WRAP authentication algorithm that would request access and obtain tokens to be used in the operation of the service. The OAuth-based authentication procedure for .tel domains is detailed in the Guide to OAuth in .tel (coming soon) and generally follows the OAuth WRAP standard. When the implementation completes, Telnic will need to verify the OAuth operation, at which time the service can start offering OAuth-based authentication to customers.
Any client application following OAuth-based authentication will need to configure access levels when gaining access to the .tel domain. The following access levels are available at this time:
- Time-bound: 1 day or unlimited, designed for one-time offers or repetitive operations
- Profile-related only for custom profile switching operations
- Backup-related only for archiving and mass population solutions
- Contacts, keywords and location only for SEO-related or advert management operations
- Full access
When the authorization completes successfully, the system returns a token that the client would use as the authentication for all subsequent operations on that .tel domain. As an additional security measure, the token also has an expiration period, which is global for all tokens issued for all services. So, when a token is requested, the system returns the access token to be used, its validity period and the refresh token for a subsequent period of time. This way, any malicious software obtaining any access token would be limited by its validity period.