Understand OAuth 1.0¶
OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end- user). It also provides a process for end-users to authorize third- party access to their server resources without sharing their credentials (typically, a username and password pair), using user- agent redirections.
This section will help developers understand the concepts in OAuth 1.0, but not in deep of OAuth 1.0. Here is an overview of an OAuth 1.0 flow:
It takes more steps to obtain an access token than OAuth 2.0.
Roles in OAuth 1.0¶
There are usually three roles in an OAuth 1.0 flow. Let’s take Twitter as an example, you are building a mobile app to send tweets:
- Client: a client is a third-party application, in this case, it is your application.
- Resource Owner: the users on Twitter are the resource owners, since they owns their tweets (resources).
- Server: authorization and resource server, in this case, it is twitter.
During the OAuth 1.0 process, there are several credentials passed from server to client, and client to server.
- client credentials
- temporary credentials
- token credentials
OAuth 1.0 Flow¶
Let’s take your mobile Twitter app as an example. When a user want to send a tweet through your application, he/she needs to authenticate at first. When the app is opened and the login button is clicked:
- Client uses its client credentials to make a request to server, asking the server for a temporary credential.
- Server responds with a temporary credential if it verified your client credential.
- Client saves temporary credential for later use, then open a view for resource owner to grant the access.
- When access is granted, Server responds with a verifier to client.
- Client uses this verifier and temporary credential to make a request to the server asking for token credentials.
- Server responds with access token if it verified every thing.
And then Client can send tweets with the token credentials.
In OAuth 1.0, every request client send to server requires a signature. The signature is calculated from:
- credentials (client, temporary, token)
- timestamp & nonce
- other HTTP information