secure rest API for running user "apps" in an iframe
Posted
by Brian Armstrong
on Stack Overflow
See other posts from Stack Overflow
or by Brian Armstrong
Published on 2010-04-04T01:03:39Z
Indexed on
2010/04/04
1:13 UTC
Read the original article
Hit count: 369
I want to let users create "apps" (like Facebook apps) for my website, and I'm trying to figure out the best way to make it secure.
- I have a REST api
- i want to run the user apps in an iframe on my own site (not a safe markup language like FBML)
I was first looking at oAuth but this seems overkill for my solution. The "apps" don't need to be run on external sites or in desktop apps or anything. The user would stay on my site at all times but see the user submitted "app" through the iframe.
So when I call the app the first time through the iframe, I can pass it some variables so it knows which logged in user is using it on my site. It can then use this user session in it's own API calls to customize the display.
If the call is passed in the clear, I don't want someone to be able to intercept the session and impersonate the user.
Does anyone know a good way to do this or good write up on it? Thanks!
© Stack Overflow or respective owner
