OAuth is a simple standard for allowing an end user to authorize an application to access a third party service on behalf of said user.
Access is authorized on two levels by the third party as the application needs to be identified as does the the user on behalf of which it is acting.
Application authorization
The application obtains through an out-of-band channel, typically a web form at the third party service where the application developer submits an application for access, the following pair of credentials:
- Consumer key (a.k.a. API key, public key, application key). Transmitted to third party as
oauth_consumer_key
. - Consumer secret (a.k.a API secret, private key, consumer secret key, application secret)
The consumer secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.
User authorization
The user typically authorizes the application to access the service using a 3-Legged OAuth process whereupon its completion the application obtains an access token consisting of:
- Token (a.k.a. access token). Transmitted to third party as
oauth_token.
- Secret (a.k.a. access token secret, oauth token secret).
The secret is never directly transmitted to the the third party, as it is used to calculate a signature for requests.
Access
OAuth authorized http requests to the third party adds several OAuth specific parameters the most important of which are oauth_consumer_key
, oauth_token
and oauth_signature
. The value of oauth_signature
is a SHA1 calculated hash of the consumer secret, access token secret and all the parameters sent in the request. OAuth parameters can be sent as standard URL parameters or as the value of the Authorization
http header.