-
Notifications
You must be signed in to change notification settings - Fork 194
Authentication
api.metacpan.org implements an OAuth 2.0 Server and holds the user data. It helps a great deal to know the spec (http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-4.1).
The user data consists of
Unique identifier for the user
List of authentication providers the user has authorized against. Each entry consists of:
-
name
Name of the authentication provider (twitter, pause, facebook, et al)
-
key
Key provided by the authentication provider that identifies the user
-
extra
Extra information that is available from the provider
list of access tokens for each front-end the user is connected with
holds the temporary OAuth code
The authentication process works as follows:
- The user clicks on "Twitter" as authentication method on metacpan.org
- She is redirected to api.metacpan.org. The query string includes
client_id=metacpan.org - The
client_idis stored in a temporary cookie on api.metacpan.org - If the user is already logged in on api.metacpan.org and the a twitter account is already connected to his account (i.e. included in the
identityproperty),goto X..
X. The temporary cookie from (2) is read and the user is redirected to the deposited redirect uri for the client_id metacpan.org. The query string includes a code (stored in code). metacpan.org will then verify that code by doing a server-side request to api.metacpan.org. If the code matches, metacpan.org receives an access_token from the api, which is both stored on metacpan.org in the session cookie and on api.metacpan.org in the access_token property, along with the client_id.