This wiki is no longer active and is left here for historical purposes. Please visit oauth.net for up-to-date information.
View
 

Signed Callback URLs

Page history last edited by eaton.lists@... 8 years, 9 months ago
Changes to OAuth 1.0 are marked in red.

1. Consumer requests request token. Included in the request:

  1. oauth_consumer_key: the Consumer key
  2. oauth_signature_method: the signature method used
  3. oauth_signature: the signature
  4. oauth_timestamp: as defined in OAuth spec
  5. oauth_nonce: as defined in OAuth spec
  6. oauth_version: OPTIONAL. If present, MUST be 1.0. If absent, MUST be assumed to be 1.0
  7. oauth_callback: OPTIONAL. URL to which to return the user after authorization
 

2. Service Provider issues an Unauthorized Request Token. The SP MUST associate the callback URL sent in Step 1 with the request token it issues. It can do that either in local storage, or by encoding the callback URL in the request token in an unforgeable way. Response includes:

  1. oauth_token: the request token
  2. oauth_token_secret: the request token secret
  3. oauth_callback_accepted=1 
 

3. Consumer sees that SP supports oauth_callback URL by checking for oauth_callback_accepted parameter.  Consumer Directs User to the Service Provider. Parameters include:

  1. oauth_token: OPTIONAL
  2. oauth_callback: REMOVED
 

4. Service Provider Authenticates User and Obtains Consent

  1. as in OAuth spec
 

5. Service Provider Redirects the User Back to Consumer. This only happens if the Consumer sent a callback in Step 1. Included in the request:

  1. oauth_token: REQUIRED
  2. oauth_verifier: REQUIRED. The oauth_verifier MUST be associated with the OAuth consumer and OAuth request token.

6. Obtaining an Access Token. Included in the request:

  1. oauth_consumer_key: the consumer key
  2. oauth_token: the request token obtained in Step 2.
  3. oauth_signature_method: signature method
  4. oauth_signature: the signature
  5. oauth_timestamp: as in the OAuth spec
  6. oauth_nonce: as in the OAuth spec
  7. oauth_version: OPTIONAL. If present, MUST be 1.0. If absent, MUST be assumed to be 1.0
  8. oauth_verifier: REQUIRED. The verifier obtained in Step 5. The Service Provider MUST check that the OAuth verifier was originally issued for the OAuth consumer key and request token.
 

7. Service Provider Grants an Access Token. Included in the request:

  1. oauth_token: the access token
  2. oauth_token_secret: the access token secret

 

Comments (0)

You don't have permission to comment on this page.