3-Legged OAuth

For Software Partners

Three Legs
Service: MyJohnDeere
MyJohnDeere owns the API & houses the user's data.
Client: Your app
Your app can allow a user to access and/or process their MyJohnDeere data.
Resource owner: the user
A resource owner can be an individual user or a MyJohnDeere Organization that uses your app to access and/or process their data.
How it Works
Request Token
User Authorized
Access Token
MyJohnDeere gives you a request token, which must be used to make all MyJohnDeere API calls.
The resource owner allows your app to use their data.
You (the software partner) use your credentials to get the access token.
What to Do
1Call the API Catalog. It will contain links to all the URLs you need to obtain your OAuth token.
Get a Request Token
2 Call the oauthRequestToken URI.
Sign request with your app ID and secert. Pass an oauth_callback parameter in the Authorization header. If you don't have a callback URI, pass oob1 instead.
3 MyJohnDeere will return your request token and request token secret. Look for oauth_Token and oauth_Token_secret in the response.
Get User Authorization
4 Call the oauthAuthorizeRequestToken URI. Then redirect the user to MyJohnDeere, where they will be promoted to authorize you to user their data.
The link to the URI is included in the API Catalog. Include your request token as a parameter.
5MyJohnDeere will pass the authorized token and oauth_verifier back to the client.
Note: Do not collect the user's credentials and authorize the client on the user's behalf.
Get the Access Token
6Call the oauthAccessToken URI.
The link to the URI is included in the API Catalog. Sign the request with your request token and secert, the verifier and your app ID and secret as parameters.
7 MyJohnDeere will return an oauth_Token and oauth_Token_secret in the response body.
About Access Token:
  • They are valid up to one year. You will have to request another token if the one you have is invalidated.
  • One token is specified to one client and one resource owner.
  • You should store the access token and secret for each user, so that the user does not need to authorize every request made by the client.
More Resources
[1] Passing oob instead of a callback URI will make the token and verifier appear on the screen. The user will then have to copy that information into the app.