I read the NingApi pdf section 2.2 on authentication, I am using the php classes from github. However I seem to authenticate that I am I (a developer with access rights to a ning network) but i can't authenticate that the viewer is the user he claims to be
Similar to this users post I want to get the current users email when he's viewing an external PHP file. With the api I seem to be able to get any users email address by passing an id. Only problem is I am not able to actually know weather the user is who he claims to be.
Then I should be retrieving a userToken & id if the user is logged in to that network or false if not. The user token is relative to my key and I can use the API to verify with my key, secret, userid & token, that the user is who he claims to be. the token expires when a user changes his password and after a given period of time.
This may still not be 100% secure, but imho more secure then just claiming to be userid 3543
TLDR: Basically I can't find the doc on how to verify a user is who he claims to be on a ning network.
Here's my suggestion for the flow
user makes ajax request (jsonp) to example.ning.com/whoami?consumerKey=MYAPPSCONSUMERKEY
the network checks if the user is signed in, key is valid and creates a temporary token based on the consumer key, they know my consumer secret, user data and network specific parameters/algorithms
my server sends the consumerKey, consumerSecret & token to the ning network.
the ning network responds with the success (user requested a token & it matches based on key & secret) and the user id/data
user token expires within a short time frame or maybe after 1 use.
There are two types of authentication: server-side and client-side.
The team has discussed implementing a client-side authentication scheme that non-Ning websites could embed that gives members a single-sign-on experience. As you can imagine, this is a difficult problem and will take some time to design and implement.
What I recommend you do is use server-side authentication. You will need to create an HTML form that requests the member's email address and password. Upon submission of the form your server will verify the credentials using the Ning API's /Token endpoint. If you receive a successful response from the /Token endpoint you can believe who the member is and setup a session (most likely using cookies). For the life of the session you can then trust that the user is who they say they are (assuming their cookies aren't stolen).
We are planning to implement 3-legged OAuth in the future to make server-side authentication more seamless for members. More seamless because members will not need to enter their password to authorize your web application if they are already signed into your Ning site.
Thank you Devin for your reply,
I think I understand now where ning is at and will need to work with what is there.