login about faq

Is a 2-legged CkOAuth2 authorization already supported? I only found 3-legged CkOAuth2 doc and samples.

asked Sep 19 '17 at 04:43

Koos's gravatar image


2-legged OAuth2 is a name for the following general sequence of events:

  1. The app sends an HTTP request with a secret of some sort, and the server responds with an access token.
  2. The access token is used as the credential in the web API requests.

The exact specifics of these 2 steps can vary. When you want to implement 2-legged OAuth2, you don't necessarily look for a "2-legged OAuth2 implementation". You want to instead look at the specifics of the steps and then solve each of those smaller problems. In this case, it's easy.

In this case, Step 1 is this:

Authorization Request:

POST /oauth/token HTTP/1.1 Authorization: ** HTTP basic authentication with client_id and client_secret ** Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: auth.weather.mg Connection: close


Authorization Response:

HTTP/1.1 200 Cache-Control: no-store Pragma: no-cache Content-Type: application/json;charset=UTF-8 Connection: close { "access_token": "JWT_ACCESS_TOKEN", "token_type": "bearer", "expires_in": 3600, "scope": "space separated list of allowed scopes", "domain": "meteogroup", "jti": "id of JWT_ACCESS_TOKEN" }

So this is easy. It's just a matter of sending a POST with Basic Authentication with a URL encoded parameter in the body of the POST. Using Chilkat's CkHttp class, this is what you do (in pseudo-code, applicable in any supported programming language where the syntax and naming might be different)
Http http;
http.Login = "myUsername";
http.Password = "myPassword";
http.BasicAuth = true;
HttpRequest req;
HttpResponse resp = http.PostUrlEncoded("https://auth.weather.mg//oauth/token",req);
string jsonResponse = resp.BodyStr;
Now you have the JSON response and you can parse out the access token and other fields using Chilkat's JsonObject class or any other JSON API.

Step 2 is to send the access token in an Authorization header in web API requests:

GET /observation?location=53,13 HTTP/1.1
Authorization: Bearer JWT_ACCESS_TOKEN
Host: api.weather.mg
Connection: close

If using Chilkat Http, just set the http.AuthToken property equal to the JWT_ACCESS_TOKEN. This adds the "Authorization: Bearer JWT_ACCESS_TOKEN" header field to the request header. That's all..


answered Sep 19 '17 at 09:06

chilkat's gravatar image

chilkat ♦♦

edited Sep 19 '17 at 09:17

The CkAuthGoogle class (or Chilkat.AuthGoogle in C# and other languages) implements 2-legged OAuth2 for service accounts.

If you need 2-legged OAuth2 for something else, then first check and make sure you're not really needing OAuth1, which is technically "2-legged", and Chilkat provides an OAuth1 class.

If you need 2-legged OAuth2 for something else (some other web API), then let us know what it is. OAuth1 is onerous for the application developer because it requires difficult cryptographic computations and canonicalizations to be performed. OAuth2 however, does not require this sort of thing. (3-legged OAuth2 is a pain-in-the-arse for non-web apps because of the required human interaction w/ the account owner through a browser) But 2-legged OAuth2 should simply be a matter of sending the credentials in some form to the server and getting the response containing the access token. The reason for the CkAuthGoogle class is mostly to provide help in dealing with the JSON private key, or the PCKS12 (.p12 or .pfx) container holding the private key.


answered Sep 19 '17 at 08:01

chilkat's gravatar image

chilkat ♦♦

Thanks for your explanation. I need 2-legged OAuth2 for the Weather-API in a native C++/C# Windows application (see also https://github.com/MeteoGroup/weather-api/blob/master/authorization/Authentication.md).


answered Sep 19 '17 at 08:14

Koos's gravatar image


I updated the above post because I forgot to add the line "http.BasicAuth = true".

Also.. ALWAYS make sure to use SSL/TLS with any HTTP request using Basic authentication. Otherwise your login/password is out in the open for anybody to see. This means the URL you pass to PostUrlEncoded must begin as "https://" and NOT "http://".


answered Sep 19 '17 at 09:19

chilkat's gravatar image

chilkat ♦♦

Thanks for your comments. The '2-legged' basic authentication works in a jiffy.


answered Sep 21 '17 at 06:21

Koos's gravatar image


Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Sep 19 '17 at 04:43

Seen: 293 times

Last updated: Sep 21 '17 at 06:21

powered by OSQA