Privacy/BestPractices/OAuth: Difference between revisions

Privacy/BestPractices/OAuth (view source)

Revision as of 22:42, 23 May 2011

654 bytes added , 23 May 2011

→‎Overview of OAuth

BenAdida

668

edits

@@ Line 8: / Line 8: @@
 * authenticating API calls: the consumer uses credentials to authenticate its API calls against the data host.
+Let's dig into these two processes a bit assuming the default use-case of one web service requesting access to another.
 === Establishing Credentials ===
-There are a number of variations on the central OAuth theme, especially when it comes to establishing credentials.
 * the consumer registers with the data host and obtains a <tt>consumer_key</tt>, which is considered public, and a <tt>consumer_secret</tt>, which should be kept private.
@@ Line 19: / Line 19: @@
 * the user is prompted to approve the request from the specified data consumer, at which point the data host redirects the user's browser to the data consumer with a confirmation code.
-* the data consumer makes a direct API call to
+* the data consumer makes an API call to the data host, authenticated with the consumer's credentials, exchanging the confirmation code for an <tt>access_token</tt> (and, in OAuth 1.0, an <tt>access_token_secret</tt>).
+The resulting access token is the user-specific credential that can be used to make API calls.
 === Making API Calls ===
+To make OAuth-credentialed API calls, the consumer adds authentication information to the HTTP calls it makes. This authentication information ranges from adding the access token as a GET parameter (OAuth 2.0 bearer tokens), to canonicalizing the request and signing it with HMAC using a combination of the <tt>consumer_secret</tt> and <tt>access_token_secret</tt> (OAuth 1.0 HMAC).
 === Differences between OAuth 1.0 and 2.0 ===

Privacy/BestPractices/OAuth: Difference between revisions

Privacy/BestPractices/OAuth (view source)

Revision as of 22:42, 23 May 2011

Navigation menu

Search