OAuth: Using Tokens with OAuth 1.0a

OAuth uses tokens to represent the authorization granted to the client by the resource owner. Typically, token credentials are issued by the server at the resource owner's request, after authenticating the resource owner's identity credentials (usually using a username and password).

The platform's OAuth Provider feature supports issuing request tokens and access tokens according to the OAuth 1.0a protocol.

The server can facilitate the provisioning of token credentials in many ways.

Below are details of one approach that uses HTTP redirection and the resource owner's user-agent. For each step, there is further information below, including links to documentation for specific API operations.

Provisioning OAuth 1.0a token credentials using HTTP redirection and the resource owner's user-agent
  1. The client application obtains a set of temporary credentials from the server (in the form of an identifier and shared secret). The temporary credentials are used to identify the access request throughout the authorization process. See Get Temporary Credentials below.
  2. The resource owner authorizes the server to grant the client's access request (identified by the temporary credentials).
  3. The client uses the temporary credentials to request a set of token credentials from the server. These token credentials will enable the client to access the resource owner's protected resources. See Get Token Credentials below.

Get Temporary Credentials

Operations: POST /oauth/oauth10/initiate or GWT /oauth/oauth10/initiate.

The client obtains a set of temporary credentials from the server by making an authenticated HTTP (GET/POST) request to the Temporary Credential Request endpoint.

Request
Header Description
URL {oauth-provider-url}/oauth/oauth10/initiate
Action GET/POST
Request Headers

Content-Type: application/x-www-form-urlencoded (if POST)
Authorization: OAuth realm=[realm],
  oauth_consumer_key=[Client ID],
  oauth_signature_method=[Signature Method],
  oauth_callback=[Client Redirect URI],
  oauth_timestamp=[Timestamp],
  oauth_nonce=[Nonce],

  oauth_signature=[Signature]
Request Parameters
Header Description
oauth_callback An absolute URI back to which the server will redirect the resource owner when the Resource Owner Authorization is completed. If the client is unable to receive callbacks or a callback URI has been established via other means, the parameter value MUST be set to "oob" (case sensitive), to indicate an out-of-band configuration.
oauth_consumer_key The client identifier.
oauth_signature_method The signature method. For valid values, see OAuth Signature Method (1.0a) values.
realm The domain name for the OAuth provider. For more information, see http://tools.ietf.org/html/rfc2617#section-1.2.
oauth_nonce The random nonce value. The nonce value must be unique across all requests with the same timestamp, client credentials, and token combinations.
oauth_timestamp The timestamp value. Must be a positive integer. The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
oauth_signature

The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method.

The signature base string includes the following components of the HTTP request:

  • The HTTP request method (GET or POST).
  • The authority, as declared by the HTTP host field in the request header.
  • The path and query components of the request resource URI.
  • The protocol parameters, excluding the oauth_signature.

The signature base string does not cover the entire HTTP request. Most important, it does not include the entity-body in most requests, nor does it include most HTTP entity-headers. It is important to note that the server cannot verify the authenticity of the excluded request components without using additional protections such as SSL/TLS or other methods.

Response
oauth_token=[Temporary token identifier]&oauth_token_secret=[Temporary token secret]&oauth_callback_confirmed=true
Response Parameters
Header Description
oauth_token The temporary credentials identifier.
oauth_token_secret The temporary credentials shared secret value.
oauth_callback_confirmed Must be set to true.
Example
oauth_token=hdk48Djdsa&oauth_token_secret=xyz4992k83j47x0b&oauth_callback_confirmed=true

Back to top

Get Token Credentials

Operations: POST /oauth/oauth10/token or GET /oauth/oauth10/token.

The client obtains a set of token credentials from the server by making an authenticated HTTP (GET/POST) request to the Token Request endpoint.

Request
Header Description
URL {oauth-provider-url}/oauth/oauth10/token
Action GET/POST
Request Headers

Content-Type: application/x-www-form-urlencoded (if POST)
Authorization: OAuth realm=[realm],
oauth_consumer_key=[Client ID],
oauth_token=[Request Token],
oauth_signature_method=[Signature Method],
oauth_timestamp=[Timestamp],
oauth_nonce=[Nonce],
oauth_verifier=[Verification Code],
oauth_signature=[Signature]

Request Parameters
Header Description
oauth_token The temporary token (request token) received from the OAuth server.
oauth_consumer_key The client identifier.
oauth_signature_method The signature method. For valid values, see OAuth Signature Method (1.0a) values.
realm The domain name for the OAuth provider. For more information, see http://tools.ietf.org/html/rfc2617#section-1.2.
oauth_nonce The random nonce value. The nonce value must be unique across all requests with the same timestamp, client credentials, and token combinations.
oauth_timestamp The timestamp value. Must be a positive integer. The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
oauth_verifier The verification code received from the OAuth server in the authorization step.
oauth_signature

The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method.

The signature base string includes the following components of the HTTP request:

  • The HTTP request method (GET or POST).
  • The authority, as declared by the HTTP host field in the request header.
  • The path and query components of the request resource URI.
  • The protocol parameters, excluding the oauth_signature.

The signature base string does not cover the entire HTTP request. Most important, it does not include the entity-body in most requests, nor does it include most HTTP entity-headers. It is important to note that the server cannot verify the authenticity of the excluded request components without using additional protections such as SSL/TLS or other methods.

Response
oauth_token=[Token identifier]&oauth_token_secret=[Token shared secret]
Response Parameters
Header Description
oauth_token The token identifier.
oauth_token_secret The token shared secret value.
Example
oauth_token=j49ddk933skd9dks&oauth_token_secret=ll399dj47dskfjdk

Back to top

Related Topics