OAuth is a simple standard for allowing an end user to authorize an application to access a third party service on behalf of said user.
Access is authorized on two levels by the third party as the application needs to be identified as does the the user on behalf of which it is acting.
The application obtains through an out-of-band channel, typically a web form at the third party service where the application developer submits an application for access, the following pair of credentials:
- Consumer key (a.k.a. API key, public key, application key). Transmitted to third party as
- Consumer secret (a.k.a API secret, private key, consumer secret key, application secret)
The consumer secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.
The user typically authorizes the application to access the service using a 3-Legged OAuth process whereupon its completion the application obtains an access token consisting of:
- Token (a.k.a. access token). Transmitted to third party as
- Secret (a.k.a. access token secret, oauth token secret).
The secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.
OAuth authorized http requests to the third party adds several OAuth specific parameters the most important of which are
oauth_signature. The value of
oauth_signature is a SHA1 calculated hash of the consumer secret, access token secret and all the parameters sent in the request. OAuth parameters can be sent as standard URL parameters or as the value of the
Authorization http header.