Special:OAuthConsumerRegistration/propose says:
Please provide a public RSA key (in PEM format) if possible; otherwise a (less secure) secret token will have to be used.
- Where can i obtain a public RSA key?
- Where do i put the private key?
Topic on Talk:OAuth/Owner-only consumers
If you are not familiar with how to use RSA keys, you are probably better off not using them (just leave the box empty); the security advantages are not that large. The description should probably be improved to say so (even better would be to have a radio box for RSA vs. hash and only show the textbox when the first option is selected).
"If you are not familiar with how to use RSA keys, you are probably better off not using them"
Let's assume for the moment that i'm intelligent enough to understand it.
Can you answer the questions?
I used PuTTYgen to generate a pair-- can i use that pair?
The site i'm building requires the strongest available security, as the site may be targeted by hackers.
I don't think PuTTY supports PEM but it's been a long time since I last used it.
Is this output good for OAuth?
puttygen ppkkey.ppk -O private-openssh -o pemkey.pem
If it's an RSA key in PEM format, it should work. You can generate other kinds of keys with PuTTY so check your settings.
Ok. Where do i put the private key? In the API call?
Or, in the login? API:Login#The login action
You need to sign the API requests with it. That's not something you want to do by hand; there are bunch of OAuth 1 libraries around. The doc page has an example (using oauthclient-php); the relevant part is starting at $api_req = OAuthRequest::from_consumer_and_token.
thx, but that's server-side php.
i want to do the API calls in javascript, from the client.
Well, the idea is the same, you just need a different library. You could use ddo/oauth-1.0a for example.
would i use ddo/oauth-1.0a instead of this extension?
Use it to sign your API requests, as documented there.