One of the biggest challenges facing the WorldShare Platform is putting together a robust infrastructure to support authentication and authorization for our web services. Our initial set of web services were read-only and didn't contain sensitive data. Therefore, when we required authentication at all, we could use a fairly simple authentication model, which merely identified clients making requests to Web services. This methodology, which is referred to as WSKey Lite, is probably most familiar to developers using our web services today. A client sends its WSKey as a query parameter to the services which use this method of authentication.
As we've moved forward with exposing additional types of data and functionality we've needed to support more robust models for authentication and authorization. Some of the factors we've had to include:
In order to meet this diverse set of requirements OCLC has adopted OAuth 2 for authentication. OAuth2 is a set of standards and practices for how to authenticate clients to utilize web services. It supports a variety of patterns and "flows" for different types of clients.
Over the next few weeks we’ll be posting more about the different patterns and flows that we’ve chosen to support. The first post will be about the HMAC Signature pattern. The second post will discuss Access Tokens as a means for authentication and authorization. Next there will be a series of posts on OAuth flows for obtaining Access Tokens. Finally we’ll discuss the concept of Refresh Tokens and how they enable clients to maintain a user session over longer periods of time. . We hope these posts will help provide a “big picture” view of our authentication infrastructure and the clients and use cases it supports.
The OCLC Developer Network supports the use of OCLC Web Services—a set of tools and APIs that expose data and services for WorldCat and our member libraries and partner institutions or companies. learn more »
© 2010 OCLC Domestic and international trademarks and/or service marks of OCLC Online Computer Library Center, Inc. and its affiliates