OAuth 1.0a Authorization Header
OAuth 1.0a uses the Authorization header as a way to authenticate the client to the OAuth Provider itself. In OAuth 2.0, this header isn't used for authentication with the OAuth Provider. Instead, OAuth 2.0 uses query parameters in the payload.
Both OAuth versions use the Authorization header when sending API requests to the Resource Server.
The OAuth 1.0a specification (http://tools.ietf.org/html/rfc5849#section-3.5.1) has this to say about the Authorization header:
Protocol parameters can be transmitted using the HTTP "Authorization" header field as defined by [RFC2617] with the auth-scheme name set to "OAuth" (case insensitive). For example: Authorization: OAuth realm="Example", oauth_consumer_key="0685bd9184jfhq22", oauth_token="ad180jjd733klru7", oauth_signature_method="HMAC-SHA1", oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", oauth_timestamp="137131200", oauth_nonce="4572616e48616d6d65724c61686176", oauth_version="1.0"
The sections below show differences between how the Authorization header is used at different stages of the OAuth 1.0a message exchange process.
Step 1: Requesting and Receiving a Request Token
Description:
Identifies the client (oauth_consumer_key), identifies the signature method used; uniquely identifies the message with a timestamp and nonce; specifies the URL the user will be redirected back to after authentication (oauth_callback); includes a signature.
Example:
oauth_consumer_key="dpf43f3p2l4k3l03", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131200", oauth_nonce="wIjqoS", oauth_callback="http%3A%2F%2Fpaastime.example.com%2Fready", oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
Step 2: Getting the User's Authorization
The client doesn't send the Authorization Header in Step 2, which relates to the user authentication at the Resource Owner Authorization endpoint.
Step 3: Exchanging Request Token and OAuth Verifier for Access Token
Description:
Includes oauth_token, the temporary credentials, and oauth_verifier, indicating that the user has been verified.
Example:
oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="hh5s93j4hdidpola", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131201", oauth_nonce="walatlh", oauth_verifier="hfdp7dh39dks9884", oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"
Step 4: Processing the Transaction
Description:
Includes oauth_token, the value of which is now the token credentials.
Example:
oauth_consumer_key="dpf43f3p2l4k3l03", oauth_token="nnch734d00sl2jdk", oauth_signature_method="HMAC-SHA1", oauth_timestamp="137131202", oauth_nonce="chapoH", oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"
In some cases where certain standard OAuth activities are supported by both POST and GET operations, the key values can be sent in query parameters for GET, in the payload for POST, or in the Authorization header in both cases.
Parameter definitions
Below are the parameters that might be part of the OAuth 1.0a Authorization header, and their definitions.
- realm
- The domain name for the OAuth provider. For more information, see http://tools.ietf.org/html/rfc2617#section-1.2.
- oauth_callback
- An absolute URI back to which the server will redirect the resource owner when the Resource Owner Authorization is completed. If the client is unable to receive callbacks or a callback URI has been established via other means, the parameter value MUST be set to "oob" (case sensitive), to indicate an out-of-band configuration.
- oauth_consumer_key
- The client identifier.
- oauth_nonce
- The random nonce value. The nonce value must be unique across all requests with the same timestamp, client credentials, and token combinations.
- oauth_signature_method
- The signature method. For valid values, see OAuth Signature Method (1.0a) values.
- oauth_signature
-
The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method. The signature base string includes the following components of the HTTP request:
- The HTTP request method (GET or POST).
- The authority, as declared by the HTTP host field in the request header.
- The path and query components of the request resource URI.
- The protocol parameters, excluding the oauth_signature.
The signature base string does not cover the entire HTTP request. Most important, it does not include the entity-body in most requests, nor does it include most HTTP entity-headers. It is important to note that the server cannot verify the authenticity of the excluded request components without using additional protections such as SSL/TLS or other methods.
- oauth_timestamp
- The timestamp value. Must be a positive integer. The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.
- oauth_token
- The temporary credentials identifier, if applicable. Returned in the response to Step 1; used in request and response for Step 2, and sent in the request message for Step 3.
- oauth_token_secret
- Secret value for the temporary credentials identifier, if applicable. If in use, sent whenever oauth_token is sent (see above).
- oauth_verifier
- A parameter verifying that the user has been authenticated and has granted the requested permission. Example: hfdp7dh39dks9884. Sent in the response to Step 2.
- oauth_version
- An optional parameter which, if present, must be set to 1.0.