Questions to ask your OAuth provider

1. Do you accept multiple Redirect URIs per client?

  • MobileSmith will provide you with two Redirect URIs, one for use in the platform and one for use in the app. The OAuth provider will need both of these for everything to work smoothly.
  • Usually, the OAuth provider will ask you for a Redirect URI when you register your app with the provider. Some providers, such as Instagram, allow you to enter multiple Redirect URIs at the same time, so you can provide both in a single registration. Other providers, such as SoundCloud, only allow one Redirect URI at a time, so you would need to register twice.

2. What is your base Auth URL?

  • Some providers may call it the “End User Authorization URL”.
  • Example: Instagram’s base Auth URL is https://api.instagram.com/oauth/authorize

3. What is my Client ID?

  • You will need two if your OAuth provider only accepts one Redirect URI per client (see question #1)– this is so that you can authenticate while designing the app in the platform and also authenticate when using the app on your device.

4. Is your authentication explicit or implicit?

  • Explicit
    • Sometimes called “server-side”
    • response_type=code
  • Implicit
    • Sometimes called “client-side”
    • response_type=token
  • Some OAuth providers (like Instagram) support both explicit and implicit; some only support one. If your provider supports both, they can advise you on which would work better for your app.

5. What is your Access URL?

  • Only needed for Explicit (see question #4).
  • Sometimes called “Token URL” or “Access Token URL”.

6. What is my Client Secret?

  • Only needed for Explicit (see question #4).
  • You will need two if your OAuth provider only accepts one Redirect URI per client (see question #1)– this is so that you can authenticate while designing the app in the platform and also authenticate when using the app on your device.

7. What are my Scope options?

  • The Scope allows you to specify the type of access allowed, such as what data is visible and what actions are permitted.
  • Instagram, for example, by default only allows OAuth users to read data. However, you can use the Scope field to allow users to like, unlike, write comments, etc.

8. Should my app send the Token in the header or the URL?

  • When the device makes a request for a protected resource, it must include the token, and it can do so via header or via URL.

9. Should the Token be sent as “access_token”?

  • Only needed if token is sent in URL (see question #8).
  • “access_token” is the most common.

 

Once you have answers for all of the above questions, you are ready to setup OAuth!