A question about authorizing user

[langker]

My website A has GITHUB and GOOGLE oauth,it also can make people log in with their own password.

The question is ,now another website B of mine must use the account of website A,so I have to create some restful api to make website B can get user's profile in website A.

What makes me feel hard to do is that how to make it work well without password?
Can you give me a thinking how to do it like the comment on 35,36 rows in https://github.com/awatson1978/rest-api/blob/master/webapp/lib/rest/entry.js?

Thank you for helping!

[miurahr]

I'm just a passerby, but it is interesting question.

You can provide an 'API token' that is published by website A.

A user who want to register on website B, should log into website A (thru oauth/openid proivder) and get an 'api token'. When user proceed to log in website B, website B can connect websiteA rest API with username and 'API token'.

It can be illustrated such that website A publish an application key as same way that github.com provide an application key with MFA setup.

You may want to implement API token authentication instead of password check in rest-api. After authenticated, website A provide a session token for API as same as original implementation here.
This design may be generalized enough for one of standard authentication mechanism in meteor rest api.

For proof of concept, you can implement API token publication as an automated password generation, for user who don't have it, on website A, and user use it as password on website B. Rest API can authenticate user using username and password(pseudo api token) without rest-api code modifications.