Archived Forum Post

Index of archived forum posts


Confused about OAuth

Dec 04 '12 at 17:00

I'm kinda new to Oauth and it seems very intimidating.

Here's the page of instructions we've been given

1) Sign-up and Get a Consumer Key (API Key)
2) Get a Request Token
3) Get User Authorization
4) Exchange Request Token for an Access Token
5) Make Data API Requests
6) Exchange the Access Token


The typical OAuth environment is one where the User (Resource Owner) is interacting with a Web App to use some service where the User has an account, such as Twitter. In OAuth 1.0 terms, your web app is the "Client" and Twitter would be the "Server".

Here's what happens in the typical environment in the step-by-step list you described:
(The typical environment is where the User is interacting with your App via a browser.)

2) Your app (the Client) communicates with the Server (Twitter for example) to get a request token.

3) The user is redirected to the Server's site to provide authorization. (The information sent to the Server includes the request token.)

4) Assuming authorization is granted, the response is redirected to the Client (your Web App).

5) Your Web App then communicates with the Server to exchange the request token for an access token.

6) From that point onward, the Web App (client) can interact with the Server (such as Twitter) to do things on behalf of the User.

The big problem w/ doing OAuth in a non-browser environment involves the step where the User is redirected to the Server's site (such as Twitter) to get authorization. If there is no browser involved, then it's not possible to proceed in this way.

For non-Web apps, OAuth can be implemented in two ways:

1) The access token is pre-provided so that no back-and-forth exchange is needed. This is typical when the app is only used by the resource owner. In other words, you need to use OAuth, but you're not using it to access some other person's account, but your own account. Twitter, for example, provides the ability to interactively generate an access token that can be used in your app. An example of using a pre-computed access token is given here:

2) If the app is not run within a browser, then at the point where the browser would be redirected to the Server, your app would instead tell the User to open an independent browser, go to a specific URL, and authenticate, which results in a PIN code that the user can then cut-and-paste (or type) back into the app, which then completes the OAuth authentication. This is called PIN-based OAuth. The two steps are shown in these examples: