oauth 1.0 notes

oAuth 1.0 flow

A good explanation image from oauth.net:

oAuth flow

Flow description:

Consumer has Consumer Key and Consumer Secret (shared secret)
A) Consumer requests Request Token
- call get_request_token from Service Provider, send
  - oauth_consumer_key
  - oauth_signature_method
  - oauth_signature
  - …
  - here oauth_signature - is signature of the request created using Consumer Secret, simplified example:
  - $signature = md5($request_text . $consumer_secret)
  - both sides (Consumer and Service Provider) knows consumer_secret and able to perform this operation, so Service Provider can check whether signature is valid
B) Service provider returns Request Token
- oauth_token
- oauth_token_secret
C) Consumer redirects User to Service Provider
- oauth_token (request token from B)
D) User confirms access and Service Provider redirects User to Consumer
- oauth_token (request token from B)
- oauth_verifier (request token verifier)
E) Consumer requests Access Token
- call get_access_token, send
  - oauth_consumer_key
  - oauth_token (request token from B)
  - oauth_signature_method
  - oauth_signature
  - …
  - oauth_verifier
- here oauth_signature - is signature of the request created using request token secret from B
- note, that on step A Consumer uses his Consumer Secret to sign the request and here he use request token secret
F) Service provider grants Access Token
- oauth_token
- oauth_token_secret
G) Consumer Accesses Protected Resources
- request includes
  - oauth_consumer_key
  - oauth_token (request token from F)
  - oauth_signature_method
  - oauth_signature
  - …
  - here oauth_signature created using Access Token secret