OAuth Core 1

7/31/2019 OAuth Core 1

1/30

OAuth Core 1.0 Abstract

The OAuth protocol enables websites or applications (Consumers) to accessProtected Resources from a web service (Service Provider) via an API, withoutrequiring Users to disclose their Service Provider credentials to the Consumers.More generally, OAuth creates a freely-implementable and generic methodologyfor API authentication.

An example use case is allowing printing service printer.example.com (theConsumer), to access private photos stored on photos.example.net (the ServiceProvider) without requiring Users to provide their photos.example.net credentialsto printer.example.com.

OAuth does not require a specific user interface or interaction pattern, nor does it

specify how Service Providers authenticate Users, making the protocol ideallysuited for cases where authentication credentials are unavailable to the Consumer,such as with OpenID.

OAuth aims to unify the experience and implementation of delegated web serviceauthentication into a single, community-driven protocol. OAuth builds on existingprotocols and best practices that have been independently implemented by variouswebsites. An open standard, supported by large and small providers alike,promotes a consistent and trusted experience for both application developers andthe users of those applications.

License

This specification is made available under the OAuth Non-Assertion Covenant and Authors Contribution License For OAuth Specification 1.0 availablea thttp://oauth.net/license/core/1.0 . Copyrights are licensed under the termsof the Creative Commons Attribution ShareAlike 3.0 license availablea thttp://creativecommons.org/licenses/by-sa/3.0 .

Table of Contents

1. Authors2. Notation and Conventions3. Definitions4. Documentation and Registration

4.1. Request URLs4.2. Service Providers4.3. Consumers

5. Parameters5.1. Parameter Encoding
http://oauth.net/license/core/1.0http://oauth.net/license/core/1.0http://oauth.net/license/core/1.0http://creativecommons.org/licenses/by-sa/3.0http://creativecommons.org/licenses/by-sa/3.0http://creativecommons.org/licenses/by-sa/3.0http://oauth.net/core/1.0/#anchor1http://oauth.net/core/1.0/#anchor1http://oauth.net/core/1.0/#anchor2http://oauth.net/core/1.0/#anchor2http://oauth.net/core/1.0/#anchor3http://oauth.net/core/1.0/#anchor3http://oauth.net/core/1.0/#anchor4http://oauth.net/core/1.0/#anchor4http://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#anchor5http://oauth.net/core/1.0/#anchor5http://oauth.net/core/1.0/#anchor6http://oauth.net/core/1.0/#anchor6http://oauth.net/core/1.0/#anchor7http://oauth.net/core/1.0/#anchor7http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#anchor7http://oauth.net/core/1.0/#anchor6http://oauth.net/core/1.0/#anchor5http://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#anchor4http://oauth.net/core/1.0/#anchor3http://oauth.net/core/1.0/#anchor2http://oauth.net/core/1.0/#anchor1http://creativecommons.org/licenses/by-sa/3.0http://oauth.net/license/core/1.0


2/30

5.2. Consumer Request Parameters5.3. Service Provider Response Parameters5.4. OAuth HTTP Authorization Scheme

6. Authenticating with OAuth6.1. Obtaining an Unauthorized Request Token6.2. Obtaining User Authorization

6.3. Obtaining an Access Token7. Accessing Protected Resources8. Nonce and Timestamp9. Signing Requests

9.1. Signature Base String9.2. HMAC-SHA19.3. RSA-SHA19.4. PLAINTEXT

10. HTTP Response CodesAppendix A. Appendix A - Protocol ExampleAppendix A.1. Documentation and RegistrationAppendix A.2. Obtaining a Request TokenAppendix A.3. Requesting User AuthorizationAppendix A.4. Obtaining an Access TokenAppendix A.5. Accessing Protected ResourcesAppendix B. Security ConsiderationsAppendix B.1. Credentials and Token ExchangeAppendix B.2. PLAINTEXT Signature MethodAppendix B.3. Confidentiality of RequestsAppendix B.4. Spoofing by Counterfeit ServersAppendix B.5. Proxying and Caching of Authenticated ContentAppendix B.6. Plaintext Storage of CredentialsAppendix B.7. Secrecy of the Consumer SecretAppendix B.8. Phishing AttacksAppendix B.9. Scoping of Access Requests

Appendix B.10. Entropy of SecretsAppendix B.11. Denial of Service / Resource Exhaustion AttacksAppendix B.12. Cryptographic AttacksAppendix B.13. Signature Base String Compatibility11. References Authors Address

1. Authors

Mark Atwood ([email protected]) Richard M. Conlan ([email protected]) Blaine Cook ([email protected]) Leah Culver ([email protected]) Kellan Elliott-McCrea ([email protected])
http://oauth.net/core/1.0/#consumer_req_paramhttp://oauth.net/core/1.0/#consumer_req_paramhttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#anchor9http://oauth.net/core/1.0/#anchor9http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#anchor13http://oauth.net/core/1.0/#anchor13http://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#anchor14http://oauth.net/core/1.0/#anchor14http://oauth.net/core/1.0/#anchor16http://oauth.net/core/1.0/#anchor16http://oauth.net/core/1.0/#anchor19http://oauth.net/core/1.0/#anchor19http://oauth.net/core/1.0/#anchor22http://oauth.net/core/1.0/#anchor22http://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#anchor25http://oauth.net/core/1.0/#anchor25http://oauth.net/core/1.0/#anchor26http://oauth.net/core/1.0/#anchor26http://oauth.net/core/1.0/#anchor27http://oauth.net/core/1.0/#anchor27http://oauth.net/core/1.0/#anchor28http://oauth.net/core/1.0/#anchor28http://oauth.net/core/1.0/#anchor29http://oauth.net/core/1.0/#anchor29http://oauth.net/core/1.0/#anchor30http://oauth.net/core/1.0/#anchor30http://oauth.net/core/1.0/#anchor33http://oauth.net/core/1.0/#anchor33http://oauth.net/core/1.0/#anchor34http://oauth.net/core/1.0/#anchor34http://oauth.net/core/1.0/#anchor35http://oauth.net/core/1.0/#anchor35http://oauth.net/core/1.0/#anchor36http://oauth.net/core/1.0/#anchor36http://oauth.net/core/1.0/#anchor37http://oauth.net/core/1.0/#anchor37http://oauth.net/core/1.0/#anchor38http://oauth.net/core/1.0/#anchor38http://oauth.net/core/1.0/#anchor39http://oauth.net/core/1.0/#anchor39http://oauth.net/core/1.0/#anchor40http://oauth.net/core/1.0/#anchor40http://oauth.net/core/1.0/#anchor41http://oauth.net/core/1.0/#anchor41http://oauth.net/core/1.0/#anchor42http://oauth.net/core/1.0/#anchor42http://oauth.net/core/1.0/#anchor43http://oauth.net/core/1.0/#anchor43http://oauth.net/core/1.0/#anchor44http://oauth.net/core/1.0/#anchor44http://oauth.net/core/1.0/#anchor45http://oauth.net/core/1.0/#anchor45http://oauth.net/core/1.0/#anchor46http://oauth.net/core/1.0/#anchor46http://oauth.net/core/1.0/#rfc.references1http://oauth.net/core/1.0/#rfc.references1http://oauth.net/core/1.0/#rfc.authorshttp://oauth.net/core/1.0/#rfc.authorshttp://oauth.net/core/1.0/#rfc.authorshttp://oauth.net/core/1.0/#rfc.references1http://oauth.net/core/1.0/#anchor46http://oauth.net/core/1.0/#anchor45http://oauth.net/core/1.0/#anchor44http://oauth.net/core/1.0/#anchor43http://oauth.net/core/1.0/#anchor42http://oauth.net/core/1.0/#anchor41http://oauth.net/core/1.0/#anchor40http://oauth.net/core/1.0/#anchor39http://oauth.net/core/1.0/#anchor38http://oauth.net/core/1.0/#anchor37http://oauth.net/core/1.0/#anchor36http://oauth.net/core/1.0/#anchor35http://oauth.net/core/1.0/#anchor34http://oauth.net/core/1.0/#anchor33http://oauth.net/core/1.0/#anchor30http://oauth.net/core/1.0/#anchor29http://oauth.net/core/1.0/#anchor28http://oauth.net/core/1.0/#anchor27http://oauth.net/core/1.0/#anchor26http://oauth.net/core/1.0/#anchor25http://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#anchor22http://oauth.net/core/1.0/#anchor19http://oauth.net/core/1.0/#anchor16http://oauth.net/core/1.0/#anchor14http://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#anchor13http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#anchor9http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#consumer_req_param


3/30

Larry Halff ([email protected]) Eran Hammer-Lahav ([email protected]) Ben Laurie ([email protected]) Chris Messina ([email protected]) John Panzer ([email protected]) Sam Quigley ([email protected])

David Recordon ([email protected]) Eran Sandler ([email protected]) Jonathan Sergent ([email protected]) Todd Sieling ([email protected]) Brian Slesinsky ([email protected]) Andy Smith ([email protected])

2. Notation and Conventions

The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in thisdocument are to be interpreted as described in [RFC2119] . Domain nameexamples use [RFC2606] .

3. Definitions

Service Provider:A web application that allows access via OAuth.

User:An individual who has an account with the Service Provider.

Consumer:A website or application that uses OAuth to access the Service Provider onbehalf of the User.

Protected Resource(s):Data controlled by the Service Provider, which the Consumer can accessthrough authentication.

Consumer Developer:An individual or organization that implements a Consumer.

Consumer Key:A value used by the Consumer to identify itself to the Service Provider.

Consumer Secret:A secret used by the Consumer to establish ownership of the Consumer Key.

Request Token:A value used by the Consumer to obtain authorization from the User, andexchanged for an Access Token.

Access Token:
http://oauth.net/core/1.0/#RFC2119http://oauth.net/core/1.0/#RFC2119http://oauth.net/core/1.0/#RFC2119http://oauth.net/core/1.0/#RFC2606http://oauth.net/core/1.0/#RFC2606http://oauth.net/core/1.0/#RFC2606http://oauth.net/core/1.0/#RFC2606http://oauth.net/core/1.0/#RFC2119


4/30

A value used by the Consumer to gain access to the Protected Resources onbehalf of the User, instead of using the User s Service Provider credentials.

Token Secret:A secret used by the Consumer to establish ownership of a given Token.

OAuth Protocol Parameters:Parameters with names beginning with oauth_ .

4. Documentation and Registration

OAuth includes a Consumer Key and matching Consumer Secret that togetherauthenticate the Consumer (as opposed to the User) to the Service Provider.Consumer-specific identification allows the Service Provider to vary access levelsto Consumers (such as un-throttled access to resources).

Service Providers SHOULD NOT rely on the Consumer Secret as a method to verifythe Consumer identity, unless the Consumer Secret is known to be inaccessible toanyone other than the Consumer and the Service Provider. The Consumer SecretMAY be an empty string (for example when no Consumer verification is needed, orwhen verification is achieved through other means such as RSA).

4.1. Request URLs

OAuth defines three request URLs:

Request Token URL:The URL used to obtain an unauthorized Request Token, describedin Section 6.1 .

User Authorization URL:The URL used to obtain User authorization for Consumer access, describedin Section 6.2 .

Access Token URL:The URL used to exchange the User-authorized Request Token for an AccessToken, described in Section 6.3 .

The three URLs MUST include scheme, authority, and path, and MAY include queryand fragment as defined by [RFC3986] section 3. The request URL query MUSTNOT contain any OAuth Protocol Parameters. For example:

http://sp.example.com/authorize
http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#auth_step1http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#auth_step3http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step1


5/30

4.2. Service Providers

The Service Provider s responsibility is to enable Consumer Developers to establish

a Consumer Key and Consumer Secret. The process and requirements forprovisioning these are entirely up to the Service Providers.

The Service Provider s documentation includes:

1. The URLs the Consumer will use when making OAuth requests, and the HTTPmethods (i.e. GET, POST, etc.) used in the Request Token URL and Access TokenURL.

2. Signature methods supported by the Service Provider.3. Any additional request parameters that the Service Provider requires in order to

obtain a Token. Service Provider specific parameters MUST NOT beginwith oauth_ .

4.3. Consumers

The Consumer Developer MUST establish a Consumer Key and a Consumer Secretwith the Service Provider. The Consumer Developer MAY also be required toprovide additional information to the Service Provider upon registration.

5. Parameters

OAuth Protocol Parameter names and values are case sensitive. Each OAuthProtocol Parameters MUST NOT appear more than once per request, and areREQUIRED unless otherwise noted.

5.1. Parameter Encoding

All parameter names and values are escaped using the [RFC3986] percent-encoding (%xx) mechanism. Characters not in the unreserved character set( [RFC3986] section 2.3) MUST be encoded. Characters in the unreservedcharacter set MUST NOT be encoded. Hexadecimal characters in encodings MUST
http://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#request_urlshttp://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#request_urls


6/30

be upper case. Text names and values MUST be encoded as UTF-8 octets beforepercent-encoding them per [RFC3629] .

unreserved = ALPHA, DIGIT, '-', '.', '_', '~'

5.2. Consumer Request Parameters

OAuth Protocol Parameters are sent from the Consumer to the Service Provider inone of three methods, in order of decreasing preference:

1. In the HTTP Authorization header as defined in OAuth HTTP AuthorizationScheme .

2. As the HTTP POST request body with a content-type of application/x-www-form-urlencoded .

3. Added to the URLs in the query part (as defined by [RFC3986] section 3).

In addition to these defined methods, future extensions may describe alternatemethods for sending the OAuth Protocol Parameters. The methods for sendingother request parameters are left undefined, but SHOULD NOT use the OAuthHTTP Authorization Scheme header.

5.3. Service Provider Response Parameters

Response parameters are sent by the Service Provider to return Tokens and otherinformation to the Consumer in the HTTP response body. The parameter namesand values are first encoded as per Parameter Encoding , and concatenated withthe & character (ASCII code 38) as defined in [RFC3986] Section 2.1. Forexample:

oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=xyz4992k83j47x0b

5.4. OAuth HTTP Authorization SchemeThis section defines an [RFC2617] extension to support OAuth. It uses thestandard HTTP Authorization and WWW-Authenticate headers to passOAuth Protocol Parameters.
http://oauth.net/core/1.0/#RFC3629http://oauth.net/core/1.0/#RFC3629http://oauth.net/core/1.0/#RFC3629http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#RFC3629


7/30

It is RECOMMENDED that Service Providers accept theHTTP Authorization header. Consumers SHOULD be able to send OAuthProtocol Parameters in the OAuth Authorization header.

The extension auth-scheme (as defined by [RFC2617] ) is OAuth and is case-insensitive.

5.4.1. Authorization Header

The OAuth Protocol Parameters are sent in the Authorization header thefollowing way:

1. Parameter names and values are encoded per Parameter Encoding . 2. For each parameter, the name is immediately followed by an = character (ASCII

code 61), a character (ASCII code 34), the parameter value (MAY be empty),and another character (ASCII code 34).

3. Parameters are separated by a comma character (ASCII code 44) and OPTIONALlinear whitespace per [RFC2617] .

4. The OPTIONAL realm parameter is added and interpreted per [RFC2617] , section 1.2.

For example:

Authorization: OAuthrealm="http://sp.example.com/",

oauth_consumer_key="0685bd9184jfhq22",oauth_token="ad180jjd733klru7",oauth_signature_method="HMAC-SHA1",

oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",oauth_timestamp="137131200",oauth_nonce="4572616e48616d6d65724c61686176",oauth_version="1.0"

5.4.2. WWW-Authenticate Header

Service Providers MAY indicate their support for the extension by returning theOAuth HTTP WWW-Authenticate header upon Consumer requests for ProtectedResources. As pe r[RFC2617] such a response MAY include additional HTTP WWW-Authenticate headers:
http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2617


8/30

For example:

WWW-Authenticate: OAuthrealm="http://sp.example.com/"

The realm parameter defines a protection realm per [RFC2617] , section 1.2.

6. Authenticating with OAuth

OAuth authentication is the process in which Users grant access to their ProtectedResources without sharing their credentials with the Consumer. OAuth usesTokens generated by the Service Provider instead of the User s credentials inProtected Resources requests. The process uses two Token types:

Request Token:Used by the Consumer to ask the User to authorize access to the ProtectedResources. The User-authorized Request Token is exchanged for an AccessToken, MUST only be used once, and MUST NOT be used for any otherpurpose. It is RECOMMENDED that Request Tokens have a limited lifetime.

Access Token:Used by the Consumer to access the Protected Resources on behalf of theUser. Access Tokens MAY limit access to certain Protected Resources, andMAY have a limited lifetime. Service Providers SHOULD allow Users to revokeAccess Tokens. Only the Access Token SHALL be used to access the ProtectResources.

OAuth Authentication is done in three steps:

1. The Consumer obtains an unauthorized Request Token.2. The User authorizes the Request Token.3. The Consumer exchanges the Request Token for an Access Token.
http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617http://oauth.net/core/1.0/#RFC2617


9/30

6.1. Obtaining an Unauthorized Request Token

The Consumer obtains an unauthorized Request Token by asking the ServiceProvider to issue a Token. The Request T oken s sole purpose is to receive Userapproval and can only be used to obtain an Access Token. The Request Token

process goes as follows:

6.1.1. Consumer Obtains a Request Token


10/30

To obtain a Request Token, the Consumer sends an HTTP request to the ServiceProvider s Request Token URL. The Service Provider documentation specifies theHTTP method for this request, and HTTP POST is RECOMMENDED. The requestMUST be signed and contains the following parameters:

oauth_consumer_key:

The Consumer Key.oauth_signature_method:

The signature method the Consumer used to sign the request.oauth_signature:

The signature as defined in Signing Requests . oauth_timestamp:

As defined in Nonce and Timestamp . oauth_nonce:

As defined in Nonce and Timestamp . oauth_version:

OPTIONAL. If present, value MUST be 1.0 . Service Providers MUST assumethe protocol version to be 1.0 if this parameter is not present. Service

Providers response to non - 1.0 value is left undefined.Additional parameters:Any additional parameters, as defined by the Service Provider.

6.1.2. Service Provider Issues an Unauthorized Request Token

The Service Provider verifies the signature and Consumer Key. If successful, itgenerates a Request Token and Token Secret and returns them to the Consumerin the HTTP response body as defined in Service Provider ResponseParameters . The Service Provider MUST ensure the Request Token cannot beexchanged for an Access Token until the User successfully grants accessin Obtaining User Authorization .

The response contains the following parameters:

oauth_token:The Request Token.

oauth_token_secret:The Token Secret.

Additional parameters:

Any additional parameters, as defined by the Service Provider.

If the request fails verification or is rejected for other reasons, the ServiceProvider SHOULD respond with the appropriate response code as defined in HTTPResponse Codes . The Service Provider MAY include some further details aboutwhy the request was rejected in the HTTP response body as defined in ServiceProvider Response Parameters .
http://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#signing_process


11/30

6.2. Obtaining User Authorization

The Consumer cannot use the Request Token until i t has been authorized by the

User. Obtaining User authorization includes the following steps:

6.2.1. Consumer Directs the User to the Service Provider

In order for the Consumer to be able to exchange the Request Token for an AccessToken, the Consumer MUST obtain approval from the User by directing the User tothe Service Provider. The Consumer constructs an HTTP GET request to theService Provider s User Authorization URL with the following parameter:

oauth_token:OPTIONAL. The Request Token obtained in the previous step. The ServiceProvider MAY declare this parameter as REQUIRED, or accept requests to theUser Authorization URL without it, in which case it will prompt the User toenter it manually.

oauth_callback:OPTIONAL. The Consumer MAY specify a URL the Service Provider will use toredirect the User back to the Consumer when Obtaining UserAuthorization is complete.

Additional parameters:Any additional parameters, as defined by the Service Provider.

Once the request URL has been constructed the Consumer redirects the User tothe URL via the User s web browser. If the Consumer is incapable of automaticHTTP redirection, the Consumer SHALL notify the User how to manually go to theconstructed request URL.

Note: If a Service Provider knows a Consumer to be running on a mobile device orset-top box, the Service Provider SHOULD ensure that the User Authorization URLand Request Token are suitable for manual entry.

6.2.2. Service Provider Authenticates the User and Obtains Consent

The Service Provider verifies the User s identity and asks for consent as detailed.OAuth does not specify how the Service Provider authenticates the User. However,it does define a set of REQUIRED steps:
http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2http://oauth.net/core/1.0/#auth_step2


12/30


13/30

The Consumer exchanges the Request Token for an Access Token capable of accessing the Protected Resources. Obtaining an Access Token includes thefollowing steps:

6.3.1. Consumer Requests an Access Token

The Request Token and Token Secret MUST be exchanged for an Access Tokenand Token Secret.

To request an Access Token, the Consumer makes an HTTP request to the ServiceProvider s Access Token URL. The Service Provider documentation specifies theHTTP method for this request, and HTTP POST is RECOMMENDED. The requestMUST be signed per Signing Requests , and contains the following parameters:

oauth_consumer_key:The Consumer Key.

oauth_token:The Request Token obtained previously.

oauth_signature_method:The signature method the Consumer used to sign the request.

oauth_signature:The signature as defined in Signing Requests .

oauth_timestamp:As defined in Nonce and Timestamp .

oauth_nonce:As defined in Nonce and Timestamp .

oauth_version:OPTIONAL. If present, value MUST be 1.0 . Service Providers MUST assumethe protocol version to be 1.0 if this parameter is not present. ServiceProviders response to non - 1.0 value is left undefined.

No additional Service Provider specific parameters are allowed when requesting anAccess Token to ensure all Token related information is present prior to seekingUser approval.

6.3.2. Service Provider Grants an Access Token

The Service Provider MUST ensure that:

The request signature has been successfully verified. The Request Token has never been exchanged for an Access Token. The Request Token matches the Consumer Key.
http://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_process


14/30

If successful, the Service Provider generates an Access Token and Token Secretand returns them in the HTTP response body as defined in Service ProviderResponse Parameters . The Access Token and Token Secret are stored by theConsumer and used when signing Protected Resources requests. The responsecontains the following parameters:

oauth_token:The Access Token.

oauth_token_secret:The Token Secret.


If the request fails verification or is rejected for other reasons, the ServiceProvider SHOULD respond with the appropriate response code as defined in HTTPResponse Codes . The Service Provider MAY include some further details aboutwhy the request was rejected in the HTTP response body as defined in ServiceProvider Response Parameters .

7. Accessing Protected Resources

After successfully receiving the Access Token and Token Secret, the Consumer isable to access the Protected Resources on behalf of the User. The request MUSTbe signed pe rSigning Requests , and contains the following parameters:

oauth_consumer_key:The Consumer Key.

oauth_token:The Access Token.

oauth_signature_method:The signature method the Consumer used to sign the request.

oauth_signature:The signature as defined in Signing Requests .

oauth_timestamp:As defined in Nonce and Timestamp .

oauth_nonce:As defined in Nonce and Timestamp .

oauth_version:

OPTIONAL. If present, value MUST be 1.0 . Service Providers MUST assumethe protocol version to be 1.0 if this parameter is not present. ServiceProviders response to non - 1.0 value is left undefined.

http://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#noncehttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#signing_processhttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#http_codeshttp://oauth.net/core/1.0/#response_parametershttp://oauth.net/core/1.0/#response_parameters


15/30

8. Nonce and Timestamp

Unless otherwise specified by the Service Provider, the timestamp is expressed inthe number of seconds since January 1, 1970 00:00:00 GMT. The timestamp valueMUST be a positive integer and MUST be equal or greater than the timestampused in previous requests.

The Consumer SHALL then generate a Nonce value that is unique for all requestswith that timestamp. A nonce is a random string, uniquely generated for eachrequest. The nonce allows the Service Provider to verify that a request has neverbeen made before and helps prevent replay attacks when requests are made overa non-secure channel (such as HTTP).

9. Signing RequestsAll Token requests and Protected Resources requests MUST be signed by theConsumer and verified by the Service Provider. The purpose of signing requests isto prevent unauthorized parties from using the Consumer Key and Tokens whenmaking Token requests or Protected Resources requests. The signature processencodes the Consumer Secret and Token Secret into a verifiable value which isincluded with the request.

OAuth does not mandate a particular signature method, as each implementationcan have its own unique requirements. The protocol defines three signaturemethods: HMAC-SHA1, RSA-SHA1 , and PLAINTEXT , but Service Providers are

free to implement and document their own methods. Recommending anyparticular method is beyond the scope of this specification.

The Consumer declares a signature method inthe oauth_signature_method parameter, generates a signature, and storesit in the oauth_signature parameter. The Service Provider verifies thesignature as specified in each method. When verifying a Consumer signature, theService Provider SHOULD check the request nonce to ensure it has not been usedin a previous Consumer request.

The signature process MUST NOT change the request parameter names or values,with the exception of the oauth_signature parameter.

9.1. Signature Base String


16/30

The Signature Base String is a consistent reproducible concatenation of therequest elements into a single string. The string is used as an input in hashing orsigning algorithms. The HMAC-SHA1 signature method provides both a standardand an example of using the Signature Base String with a signing algorithm togenerate signatures. All the request parameters MUST be encoded as describedin Parameter Encoding prior to constructing the Signature Base String.

9.1.1. Normalize Request Parameters

The request parameters are collected, sorted and concatenated into a normalizedstring:

Parameters in the OAuth HTTP Authorization header excluding

the realm parameter. Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded ).

HTTP GET parameters added to the URLs in the query part (as definedby [RFC3986] section 3).

The oauth_signature parameter MUST be excluded.

The parameters are normalized into a single string as follows:

1. Parameters are sorted by name, using lexicographical byte value ordering. If twoor more parameters share the same name, they are sorted by their value. For

example:2. a=1, c=hi%20there, f=25, f=50,

f=a, z=p, z=t3. Parameters are concatenated in their sorted order into a single string. For each

paramete r, the name is separated from the corresponding value by an = character (ASCII code 61), even if the value is empty. Each name-value pair isseparated by an & character (ASCII code 38). For example:

4. a=1&c=hi%20there&f=25&f=50&f=a&z=p&z=t

9.1.2. Construct Request URL

The Signature Base String includes the request absolute URL, tying the signatureto a specific endpoint. The URL used in the Signature Base String MUST includethe scheme, authority, and path, and MUST exclude the query and fragment asdefined by [RFC3986] section 3.
http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#auth_header_authorizationhttp://oauth.net/core/1.0/#auth_header_authorizationhttp://oauth.net/core/1.0/#auth_header_authorizationhttp://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#RFC3986http://oauth.net/core/1.0/#auth_header_authorizationhttp://oauth.net/core/1.0/#encoding_parameters


17/30

If the absolute request URL is not available to the Service Provider (it is alwaysavailable to the Consumer), it can be constructed by combining the scheme beingused, the HTTP Host header, and the relative HTTP request URL. If the Host header is not available, the Service Provider SHOULD use the host namecommunicated to the Consumer in the documentation or other means.

The Service Provider SHOULD document the form of URL used in the SignatureBase String to avoid ambiguity due to URL normalization. Unless specified, URLscheme and authority MUST be lowercase and include the portnumber; http default port 80 and https default port 443 MUST be excluded.

For example, the request:

HTTP://Example.com:80/resource?id=123

Is included in the Signature Base String as:

http://example.com/resource

9.1.3. Concatenate Request Elements

The following items MUST be concatenated in order into a single string. Each itemis encoded and separated by an & character (ASCII code 38), even if empty.

1. The HTTP request method used to send the request. Value MUST be uppercase, forexample: HEAD, GET , POST , etc.

2. The request URL from Section 9.1.2 . 3. The normalized request parameters string from Section 9.1.1 .

See Signature Base String example in Appendix A.5.1 .

9.2. HMAC-SHA1

The HMAC-SHA1 signature method uses the HMAC-SHA1 signature algorithm asdefined in [RFC2104] where the Signature Base String is the text andthe key is the concatenated values (each first encoded per ParameterEncoding ) of the Consumer Secret and Token Secret, separated by an & character (ASCII code 38) even if empty.
http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#sig_urlhttp://oauth.net/core/1.0/#sig_urlhttp://oauth.net/core/1.0/#sig_urlhttp://oauth.net/core/1.0/#sig_norm_paramhttp://oauth.net/core/1.0/#sig_norm_paramhttp://oauth.net/core/1.0/#sig_norm_paramhttp://oauth.net/core/1.0/#sig_base_examplehttp://oauth.net/core/1.0/#sig_base_examplehttp://oauth.net/core/1.0/#sig_base_examplehttp://oauth.net/core/1.0/#RFC2104http://oauth.net/core/1.0/#RFC2104http://oauth.net/core/1.0/#RFC2104http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2104http://oauth.net/core/1.0/#sig_base_examplehttp://oauth.net/core/1.0/#sig_norm_paramhttp://oauth.net/core/1.0/#sig_urlhttp://oauth.net/core/1.0/#encoding_parameters


18/30

9.2.1. Generating Signature

oauth_signature is set to the calculated digest octet string, first base64-

encoded per [RFC2045] section 6.8, then URL-encoded per ParameterEncoding .

9.2.2. Verifying Signature

The Service Provider verifies the request by generating a new request signatureoctet string, and comparing it to the signature provided by the Consumer, firstURL-decoded pe rParameter Encoding , then base64-decodedper [RFC2045] section 6.8. The signature is generated using the requestparameters as provided by the Consumer, and the Consumer Secret and TokenSecret as stored by the Service Provider.

9.3. RSA-SHA1

The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature

algorithm as defined in [RFC3447] section 8.2 (more simply known as PKCS#1),using SHA-1 as the hash function for EMSA-PKCS1-v1_5. It is assumed that theConsumer has provided its RSA public key in a verified way to the ServiceProvider, in a manner which is beyond the scope of this specification.


The Signature Base String is signed using the Consumer s RSA private keyper [RFC3447] section 8.2.1, where K is the Consumer s RSA private key, MtheSignature Base String, and S is the result signature octet string:

S = RSASSA-PKCS1-V1_5-SIGN (K, M)

oauth_signature is set to S , first base64-encoded per [RFC2045] section6.8, then URL-encoded per Parameter Encoding .
http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC3447http://oauth.net/core/1.0/#RFC2045http://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#encoding_parametershttp://oauth.net/core/1.0/#RFC2045


19/30


The Service Provider verifies the signature per [RFC3447] section 8.2.2,where (n, e) is the Consumer s RSA public key, Mis the Signature Base String,and S is the octet string representation of the oauth_signature value:

RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S)

9.4. PLAINTEXTThe PLAINTEXT method does not provide any security protection and SHOULDonly be used over a secure channel such as HTTPS. It does not use the SignatureBase String.


oauth_signature is set to the concatenated encoded values of the ConsumerSecret and Token Secret, separated by a & character (ASCII code 38), even i f either secret is empty. The result MUST be encoded again.

These examples show the value of oauth_signature for ConsumerSecret djr9rjt0jd78jf88 and 3 different Token Secrets:

jjd999tj88uiths3:oauth_signature = djr9rjt0jd78jf88%26jjd999tj88uiths3

jjd99$tj88uiths3:oauth_signature = djr9rjt0jd78jf88%26jjd99%2524tj88uiths

3 Empty:oauth_signature = djr9rjt0jd78jf88%26


20/30


The Service Provider verifies the request by breaking the signature value into theConsumer Secret and Token Secret, and ensures they match the secrets storedlocally.

10. HTTP Response Codes

This section applies only to the Request Token and Access Token requests. Ingeneral, the Service Provider SHOULD use the response codes definedin [RFC2616] Section 10. When the Service Provider rejects a Consumer request,it SHOULD respond with HTTP 400 Bad Request or HTTP 401 Unauthorized.

HTTP 400 Bad Requesto Unsupported parametero Unsupported signature methodo Missing required parametero Duplicated OAuth Protocol Parameter

HTTP 401 Unauthorizedo Invalid Consumer Keyo Invalid / expired Tokeno Invalid signatureo Invalid / used nonce

Appendix A. Appendix A - Protocol Example

In this example, the Service Provider photos.example.net is a photo sharingwebsite, and the Consumer printer.example.com is a photo printing website. Jane,the User, would like printer.example.com to print the privatephoto vacation.jpg stored at photos.example.net.

When Jane signs-into photos.example.net using her username and password, shecan access the photo by going to theURL http://photos.example.net/photo?file=vacation.jpg . OtherUsers cannot access that photo, and Jane does not want to share her usernameand password with printer.example.com.

The requests in this example use the URL query method when sendingparameters. This is done to simplify the example and should not be taken as anendorsement of one method over the others.


21/30

Appendix A.1. Documentation and Registration

The Service Provider documentation explains how to register for a Consumer Keyand Consumer Secret, and declares the following URLs:

Request Token URL:https://photos.example.net/request_token, using HTTP POST

User Authorization URL:http://photos.example.net/authorize, using HTTP GET

Access Token URL:https://photos.example.net/access_token, using HTTP POST

Photo (Protected Resource) URL:http://photos.example.net/photo with required parameter file and optionalparameter

size

The Service Provider declares support for the HMAC-SHA1 signature method forall requests, and PLAINTEXT only for secure (HTTPS) requests.

The Consumer printer.example.com already established a Consumer Key andConsumer Secret with photos.example.net and advertizes its printing services forphotos stored on photos.example.net. The Consumer registration is:

Consumer Key:dpf43f3p2l4k3l03

Consumer Secret:

kd94hf93k423kf44

Appendix A.2. Obtaining a Request Token

After Jane informs printer.example.com that she would like to print her vacationphoto stored at photos.example.net, the printer website tries to access the photoand receives HTTP 401 Unauthorized indicating it is private. The Service Providerincludes the following header with the response:

WWW-Authenticate: OAuthrealm="http://photos.example.net/"

The Consumer sends the following HTTP POST request to the Service Provider:

https://photos.example.net/request_token?oauth_consumer_key=dpf4


22/30

3f3p2l4k3l03&oauth_signature_method=PLAINTEXT&oauth_signature=kd94hf93k423kf44%26&oauth_timestamp=1191242090&oauth_nonce=hsu94j3884jdopsl&oauth_version=1.0

The Service Provider checks the signature and replies with an unauthorizedRequest Token in the body of the HTTP response:

oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03

Appendix A.3. Requesting User Authorization

The Consumer redirects Jane s browser to the Service Provider User AuthorizationURL to obtain Jane s approval for accessing her private photos.

http://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola&oauth_callback=http%3A%2F%2Fprinter.example.com%2Frequest_token_ready

The Service Provider asks Jane to sign-in using her username and password and, if successful, asks her if she approves granting printer.example.com access to herprivate photos. If Jane approves the request, the Service Provider redirects herback to the Consumer s callback URL:

http://printer.example.com/request_token_ready?oauth_token=hh5s93j4hdidpola

Appendix A.4. Obtaining an Access Token

Now that the Consumer knows Jane approved the Request Token, it asks theService Provider to exchange it for an Access Token:

https://photos.example.net/access_token?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=hh5s93j4hdidpola&oauth_signature_method=PLAINTEXT&oauth_signature=kd94hf93k423kf44%26hdhd0244k9j7ao03&oauth_timestamp=1191242092&oauth_nonce=dji430splmx33448&oauth_version=1.0


23/30

The Service Provider checks the signature and replies with an Access Token in thebody of the HTTP response:

oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00

Appendix A.5. Accessing Protected Resources

The Consumer is now ready to request the private photo. Since the photo URL isnot secure (HTTP), it must use HMAC-SHA1.

Appendix A.5.1. Generating Signature Base String

To generate the signature, it first needs to generate the Signature Base String.The request contains the following parameters ( oauth_signature excluded)which are ordered and concatenated into a normalized string:

oauth_consumer_key:dpf43f3p2l4k3l03

oauth_token:

nnch734d00sl2jdk oauth_signature_method:HMAC-SHA1

oauth_timestamp:1191242096

oauth_nonce:kllo9940pd9333jh

oauth_version:1.0

file:vacation.jpg

size:

original

The following inputs are used to generate the Signature Base String:

1. GET 2. http://photos.example.net/photos 3. file=vacation.jpg&oauth_consumer_key=dpf43f3p2l4k3l03&oaut

h_nonce=kllo9940pd9333jh&oauth_signature_method=HMAC-


24/30

SHA1&oauth_timestamp=1191242096&oauth_token=nnch734d00sl2jdk&oauth_version=1.0&size=original

The Signature Base String is:

GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal

Appendix A.5.2. Calculating Signature Value

HMAC-SHA1 produces the following digest value as a base64-encoded string(using the Signature Base Stringas text and kd94hf93k423kf44&pfkkdhi9sl3r4s00 as key ):

tR3+Ty81lMeYAr/Fid0kMTYa/WM=

Appendix A.5.3. Requesting Protected Resource

All together, the Consumer request for the photo is:

http://photos.example.net/photos?file=vacation.jpg&size=original

Authorization: OAuthrealm="http://photos.example.net/",

oauth_consumer_key="dpf43f3p2l4k3l03",oauth_token="nnch734d00sl2jdk",oauth_signature_method="HMAC-SHA1",

oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",oauth_timestamp="1191242096",oauth_nonce="kllo9940pd9333jh",oauth_version="1.0"

And if using query parameters:


25/30

http://photos.example.net/photos?file=vacation.jpg&size=original&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=nnch734d00sl2jdk&oauth_signature_method=HMAC-SHA1&oauth_signature=tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D&oauth_

timestamp=1191242096&oauth_nonce=kllo9940pd9333jh&oauth_version=1.0

photos.example.net checks the signature and responds with the requested photo.

Appendix B. Security Considerations

Appendix B.1. Credentials and Token Exchange

The OAuth specification does not describe any mechanism for protecting Tokensand secrets from eavesdroppers when they are transmitted from the ServiceProvider to the Consumer in Section 6.1.2 and Section 6.3.2 . Service Providersshould ensure that these transmissions are protected using transport-layermechanisms such as TLS or SSL.

Appendix B.2. PLAINTEXT Signature Method

When used with PLAINTEXT signatures, the OAuth protocol makes no attemptsto protect User credentials from eavesdroppers or man-in-the-middle attacks.The PLAINTEXT signature algorithm is only intended to be used in conjunctionwith a transport-layer security mechanism such as TLS or SSL which does providesuch protection. If transport-layer protection is unavailable,the PLAINTEXT signature method should not be used.

Appendix B.3. Confidentiality of Requests
http://oauth.net/core/1.0/#request_granthttp://oauth.net/core/1.0/#request_granthttp://oauth.net/core/1.0/#access_granthttp://oauth.net/core/1.0/#access_granthttp://oauth.net/core/1.0/#access_granthttp://oauth.net/core/1.0/#access_granthttp://oauth.net/core/1.0/#request_grant


26/30

While OAuth provides a mechanism for verifying the integrity of requests, itprovides no guarantee of request confidentiality. Unless further precautions aretaken, eavesdroppers will have full access to request content. Service Providersshould carefully consider the kinds of data likely to be sent as part of suchrequests, and should employ transport-layer security mechanisms to protectsensitive resources.

Appendix B.4. Spoofing by Counterfeit Servers

OAuth makes no attempt to verify the authenticity of the Service Provider. Ahostile party could take advantage of this by intercepting the Consumer s requestsand returning misleading or otherwise incorrect responses. Service providersshould consider such attacks when developing services based on OAuth, andshould require transport-layer security for any requests where the authenticity of the Service Provider or of request responses is an issue.

Appendix B.5. Proxying and Caching of Authenticated Content

The HTTP Authorization scheme is optional. However, [RFC2616] relies onthe Authorization and WWW-Authenticate headers to distinguishauthenticated content so that it can be protected. Proxies and caches, in

particular, may fail to adequately protect requests not using these headers.

For example, private authenticated content may be stored in (and thus retrievablefrom) publicly-accessible caches. Service Providers not using the HTTPAuthorization scheme should take care to use other mechanisms, such asthe Cache-Control header, to ensure that authenticated content is protected.

Appendix B.6. Plaintext Storage of Credentials

The Consumer Secret and Token Secret function the same way passwords do intraditional authentication systems. In order to compute the signatures used in thenon- PLAINTEXT methods, the Service Provider must have access to these secretsin plaintext form. This is in contrast, for example, to modern operating systems,which store only a one-way hash of user credentials.
http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#RFC2616http://oauth.net/core/1.0/#RFC2616http://oauth.net/core/1.0/#RFC2616http://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#auth_headerhttp://oauth.net/core/1.0/#RFC2616http://oauth.net/core/1.0/#auth_header


27/30

If an attacker were to gain access to these secrets - or worse, to the ServiceProvider s database of a ll such secrets - he or she would be able to perform anyaction on behalf of any User. Accordingly, it is critical that Service Providersprotect these secrets from unauthorized access.

Appendix B.7. Secrecy of the Consumer Secret

In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely availabledesktop application, an attacker may be able to download a copy for analysis. Insuch cases, attackers will be able to recover the Consumer Secret used toauthenticate the Consumer to the Service Provider.

Accordingly, Service Providers should not use the Consumer Secret alone to verifythe identity of the Consumer. Where possible, other factors such as IP addressshould be used as well.

Appendix B.8. Phishing Attacks

Wide deployment of OAuth and similar protocols may cause Users to becomeinured to the practice of being redirected to websites where they are asked to

enter their passwords. If Users are not careful to verify the authenticity of thesewebsites before entering their credentials, it will be possible for attackers toexploit this practice to steal Users passwords.

Service Providers should attempt to educate Users about the risks phishing attackspose, and should provide mechanisms that make it easy for Users to confirm theauthenticity of their sites.

Appendix B.9. Scoping of Access Requests

By itself, OAuth does not provide any method for scoping the access rights grantedto a Consumer. A Consumer eith er has access to Protected Resources or it doesn t.Many applications will, however, require greater granularity of access rights. Forexample, Service Providers may wish to make it possible to grant access to someProtected Resources but not others, or to grant only limited access (such as read-only access) to those Protected Resources.


28/30

When implementing OAuth, Service Providers should consider the types of accessUsers may wish to grant Consumers, and should provide mechanisms to do so.Service Providers should also take care to ensure that Users understand theaccess they are granting, as well as any risks that may be involved.

Appendix B.10. Entropy of Secrets

Unless a transport-layer security protocol is used, eavesdroppers will have fullaccess to OAuth requests and signatures, and will thus be able to mount offlinebrute- force attacks to recover the Consumer s credentials used. Service Providersshould be careful to assign Token Secrets and Consumer Secrets which are longenough - and random enough - to resist such attacks for at least the length of time that the secrets are valid.

For example, if Token Secrets are valid for two weeks, Service Providers shouldensure that it is not possible to mount a brute force attack that recovers the TokenSecret in less than two weeks. Of course, Service Providers are urged to err on theside of caution, and use the longest secrets reasonable.

It is equally important that the pseudo-random number generator (PRNG) used togenerate these secrets be of sufficiently high quality. Many PRNG implementationsgenerate number sequences that may appear to be random, but whichnevertheless exhibit patterns or other weaknesses which make cryptanalysis orbrute force attacks easier. Implementors should be careful to use cryptographicallysecure PRNGs to avoid these problems.

Appendix B.11. Denial of Service / Resource Exhaustion Attacks

The OAuth protocol has a number of features which may make resourceexhaustion attacks against Service Providers possible. For example, if a ServiceProvider includes a nontrivial amount of entropy in Token Secrets asrecommended above, then an attacker may be able to exhaust the ServiceProvider s entropy pool very quickly by repeatedly obtaining Request Tokens fromthe Service Provider.

Similarly, OAuth requires Service Providers to track used nonces. If an attacker isable to use many nonces quickly, the resources required to track them mayexhaust available capacity. And again, OAuth can require Service Providers toperform potentially expensive computations in order to verify the signature onincoming requests. An attacker may exploit this to perform a denial of serviceattack by sending a large number of invalid requests to the Service Provider.


29/30

Resource Exhaustion attacks are by no means specific to OAuth. However, OAuthimplementors should be careful to consider the additional avenues of attack thatOAuth exposes, and design their implementations accordingly. For example,entropy starvation typically results in either a complete denial of service while thesystem waits for new entropy or else in weak (easily guessable) secrets. Whenimplementing OAuth, Service Providers should consider which of these presents a

more serious risk for their application and design accordingly.

Appendix B.12. Cryptographic Attacks

SHA-1, the hash algorithm used in HMAC-SHA1 signatures, hasbeen shown [SHA1] to have a number of cryptographic weaknesses thatsignificantly reduce its resistance to collision attacks. Practically speaking, theseweaknesses are difficult to exploit, and by themselves do not pose a significantrisk to users of OAuth. They may, however, make more efficient attacks possible,and NIST has announced [NIST] that it will phase out use of SHA-1 by 2010.Service Providers should take this into account when considering whether SHA-1provides an adequate level of security for their applications.

Appendix B.13. Signature Base String Compatibility

The Signature Base String has been designed to support the signature methodsdefined in this specification. When designing additional signature methods, theSignature Base String should be evaluated to ensure compatibility with thealgorithms used.

The Signature Base String cannot guarantee the order in which parameters aresent. If parameter ordering is important and affects the result of a request, theSignature Base String will not protect against request manipulation.

11. References

[NIST] National Institute of Standards and Technolog, NIST., NIST Brief Comments on Recent Cryptanalytic Attacks on Secure HashingFunctions and the Continued Security Provided by SHA-1 .

[RFC2045] Freed, N. and N. Borenstein, Multipurpose Internet Mail Extensions(MIME) Part One: Format of Internet Message Bodies , RFC 2045.
http://oauth.net/core/1.0/#SHA1http://oauth.net/core/1.0/#SHA1http://oauth.net/core/1.0/#SHA1http://oauth.net/core/1.0/#NISThttp://oauth.net/core/1.0/#NISThttp://oauth.net/core/1.0/#NISThttp://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://tools.ietf.org/html/rfc2045http://tools.ietf.org/html/rfc2045http://tools.ietf.org/html/rfc2045http://tools.ietf.org/html/rfc2045http://tools.ietf.org/html/rfc2045http://tools.ietf.org/html/rfc2045http://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://csrc.nist.gov/hash_standards_comments.pdfhttp://oauth.net/core/1.0/#NISThttp://oauth.net/core/1.0/#SHA1


30/30

[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing forMessage Authentication , RFC 2104.

[RFC2119] Bradner, B., Key words for use in RFCs to Indicate RequirementLevels , RFC 2119.

[RFC2606] Eastlake, D. and A. Panitz, Reserved Top Level DNS Names , RFC 2606.

[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T.Berners- Lee, Hypertext Transfer Protocol HTTP/1.1 , RFC 2616.[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen,

A., and L. Stewart, HTTP Authentication: Basic and Digest AccessAuthentication , RFC 2617.

[RFC3447] Jonsson, J. and B. Kaliski, Public-Key Cryptography Standards (PKCS)#1: RSA Cryptography; Specifications Version 2.1 , RFC 3447.

[RFC3629] Yergeau, F., UTF-8, a transformation format of Unicode and ISO10646 , RFC 3629.

[RFC3986] Berners- Lee, T., Uniform Resource Identifiers (URI): Generic Syntax , RFC 3986.

[SHA1] De Canniere, C. and C. Rechberger, Finding SHA-1 Characteristics:General Results and Applications .

Authors Address

OAuth Core WorkgroupEmail: [email protected]
http://tools.ietf.org/html/rfc2104http://tools.ietf.org/html/rfc2104http://tools.ietf.org/html/rfc2104http://tools.ietf.org/html/rfc2104http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2606http://tools.ietf.org/html/rfc2606http://tools.ietf.org/html/rfc2606http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc3447http://tools.ietf.org/html/rfc3447http://tools.ietf.org/html/rfc3447http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3986http://tools.ietf.org/html/rfc3986http://dx.doi.org/10.1007/11935230_1http://dx.doi.org/10.1007/11935230_1http://dx.doi.org/10.1007/11935230_1mailto:[email protected]:[email protected]:[email protected]:[email protected]://dx.doi.org/10.1007/11935230_1http://dx.doi.org/10.1007/11935230_1http://tools.ietf.org/html/rfc3986http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3629http://tools.ietf.org/html/rfc3447http://tools.ietf.org/html/rfc3447http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc2617http://tools.ietf.org/html/rfc2616http://tools.ietf.org/html/rfc2606http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2119http://tools.ietf.org/html/rfc2104http://tools.ietf.org/html/rfc2104

Date post:	04-Apr-2018
Category:	Documents
Upload:	hung-nguyen
View:	229 times
Download:	0 times

OAuth Core 1

Documents