Old version

• when HTTPS was not everywhere
• APIs were often called over plain HTTP
• Uses cryptographic signatures for every request

Workflow:

1. Register client app with Authorization Server (Twitter, Google, …).

2. You gets:

   • consumer_key (public identifier)
   • consumer_secret (private secret, never share, always in backend)

3. Client app send a request to Authorization Server to get the request token:

   POST /oauth/request_token
   Authorization: OAuth
       oauth_consumer_key="YOUR_CONSUMER_KEY",
       oauth_signature_method="HMAC-SHA1",
       oauth_timestamp="CURRENT_UNIX_TIMESTAMP",
       // random string to prevent replay
       oauth_nonce="RANDOM_STRING",
       oauth_version="1.0",
       // computed using consumer_secret and request parameters
       oauth_signature="SIGNATURE"
   

4. Get the request token from Authorization Server.

5. Client send the user to the Authorization URL:

   <https://authserver.com/oauth/authorize?oauth_token=REQUEST_TOKEN>
   

6. User login to the Authorization Server, accept permission to allow accessing the data on client app.

7. Authorization Server redirects back to client app callback URL:

   <https://yourapp.com/callback?oauth_token=REQUEST_TOKEN&oauth_verifier=VERIFIER>
   

8. The oauth_verifier is at the query param, it is one-time code to exchange for access token.

9. Client app send request to Authorization Server to exchange request token for Access Token:

   POST /oauth/access_token
   Authorization: OAuth
       oauth_consumer_key="YOUR_CONSUMER_KEY",
       oauth_token="REQUEST_TOKEN",
       oauth_verifier="VERIFIER",
       oauth_signature_method="HMAC-SHA1",
       oauth_timestamp="CURRENT_TIMESTAMP",
       oauth_nonce="RANDOM_STRING",
       oauth_version="1.0",
       oauth_signature="SIGNATURE"
   

10. Authorization server return

    // used to access resources
    oauth_token=ACCESS_TOKEN 
    // used to sign requests (nvr share, always in backend)
    oauth_token_secret=ACCESS_TOKEN_SECRET 
    // optional info:
    user_id=12345
    screen_name=johndoe
    

11. Now client app can call protected api endpoint

    GET /api/user/profile
    Authorization: OAuth
        oauth_consumer_key="YOUR_CONSUMER_KEY",
        oauth_token="ACCESS_TOKEN",
        oauth_signature_method="HMAC-SHA1",
        oauth_timestamp="CURRENT_TIMESTAMP",
        oauth_nonce="RANDOM_STRING",
        oauth_version="1.0",
        // now uses consumer_secret + access_token_secret to sign
        oauth_signature="SIGNATURE"