668
edits
Changes
→Overview of OAuth
* authenticating API calls: the consumer uses credentials to authenticate its API calls against the data host.
Let's dig into these two processes a bit assuming the default use-case of one web service requesting access to another.
=== Establishing Credentials ===
* the consumer registers with the data host and obtains a <tt>consumer_key</tt>, which is considered public, and a <tt>consumer_secret</tt>, which should be kept private.
* the user is prompted to approve the request from the specified data consumer, at which point the data host redirects the user's browser to the data consumer with a confirmation code.
* the data consumer makes a direct an API call to the data host, authenticated with the consumer's credentials, exchanging the confirmation code for an <tt>access_token</tt> (and, in OAuth 1.0, an <tt>access_token_secret</tt>).
The resulting access token is the user-specific credential that can be used to make API calls.
=== Making API Calls ===
To make OAuth-credentialed API calls, the consumer adds authentication information to the HTTP calls it makes. This authentication information ranges from adding the access token as a GET parameter (OAuth 2.0 bearer tokens), to canonicalizing the request and signing it with HMAC using a combination of the <tt>consumer_secret</tt> and <tt>access_token_secret</tt> (OAuth 1.0 HMAC).
=== Differences between OAuth 1.0 and 2.0 ===
