OAuth stands for Open standard for Authorization. In layman terms, it means using this protocol one can interact with websites on behalf of other users. Consider an example of Twitter, where an user will have an account and now some other website wants to access user's twitter account and post on user's behalf. If we have to achieve this, without OAuth, the website that wants to access Twitter would need user's password, then that website will use that password to access user's Twitter account. There are two major problems with this approach :
Security : When the website will pass the password in url, user credentials are vulnureable for theft.
Giving away your details to another website. In this case, user will be sharing their twitter credentials to another website. This could also be a violation of terms and agreements of Twitter.
OAuth protocol allows to deal with this situation, where the user will authorize the website to interact with Twitter on their behalf without actually giving their credentials to third website. In this case, user will use Twitter for authentication and will control the permissions that will be granted to the website. This means user can revoke the access to their Twitter account by third website at any time.
Before we start discussing this in depth, we should be aware of the following terms
Service Provider : A web service that allows access via OAuth. Examples could be Twitter, Facebook, Gmail etc. In this post, we'll focus on Twitter since it is using OAuth 1.0, Gmail and other websites are using the latest version of OAuth 2.0 protocol.
User : User is the person who has an account with Service provider. So, we as a user will have an account with Twitter and we want to access that account.
Consumer : Website that will use OAuth to access Service Provider (Twitter in our case) on the behalf of User.
OAuth Authentication is done in the following steps
Step 1 : Consumer requests the Service Provider to access its services. Here the service provider will provide an unauthorized request token to the Consumer. Think of it as a case where the third party website shows its intent to Twitter that it wants to access user's twitter account. So twitter returns a request token to initiate the process.
Before we (third website) begins this process, we'll need something from Service Provider - Consumer Key and Consumer Secret.
Consumer Key : A value used by the Consumer to identify itself to the Service Provider.
Consumer Secret: A secret used by the Consumer to establish ownership of the Consumer Key
Usually the third website needs to create an application with Service Provider to get Consumer key and secret. For twitter, you can create a new application by going to the following link :-
https://apps.twitter.com
Once the application is created, generate your consumer key and secret (DO NOT SHARE IT WITH ANYONE)
Before we proceed further, we need to follow general guidelines as outlined in OAuth1.0 protocol.
- OAuth protocol parameters names and values are case sensitive and should not be duplicated
- Parameter names and values should be encoded using percent-encoding mechanism and are then concatinated with &.
- HTTP Authorization and WWW-Authenticate headers are used to pass OAuth parameters.
- For each parameter, name is immeditely followed by '='.
- Parameters are separated by ',' and should be in sorted order
- All token requests and protected resources must be signed by Consumer and verified by Service provider.
- oath_signature parameter must be excluded from requests.
Step 2 : In the second step, the consumer (third party application) will redirect the user to the service provider for the authorization of the request token that was requested in step 1. After the authorization, the service provider will redirect the user back to consumer.
Step 3 : In the third step, consumer will request the service provider for access token using the encrypted request token obtained in previous step. Service provider will provide the consumer with an access token which can be used for accessing the resources from service provider.
Step 4 : Access the service provider using the access token recieved in step 3.
You can read the full details about the OAuth Protocol at the official website. I have implemented this protocol using Python and the source code is available at my Github Page.
Usage :-
- HTTP Authorization and WWW-Authenticate headers are used to pass OAuth parameters.
- For each parameter, name is immeditely followed by '='.
- Parameters are separated by ',' and should be in sorted order
- All token requests and protected resources must be signed by Consumer and verified by Service provider.
- oath_signature parameter must be excluded from requests.
Step 2 : In the second step, the consumer (third party application) will redirect the user to the service provider for the authorization of the request token that was requested in step 1. After the authorization, the service provider will redirect the user back to consumer.
Step 3 : In the third step, consumer will request the service provider for access token using the encrypted request token obtained in previous step. Service provider will provide the consumer with an access token which can be used for accessing the resources from service provider.
Step 4 : Access the service provider using the access token recieved in step 3.
You can read the full details about the OAuth Protocol at the official website. I have implemented this protocol using Python and the source code is available at my Github Page.
Usage :-
from pyoauth import OAuth1 as Oauth # Get your consumer key and consumer secret from Twitter by creating a new app CONSUMER_KEY = "your consumer key" CONSUMER_SECRET = "your consumer secret key" oauthInst = Oauth(consumerKey=CONSUMER_KEY,consumerSecret=CONSUMER_SECRET) # Request Token (Step1) oauthInst.requestToken(url="https://api.twitter.com/oauth/request_token") # Authorize User (Step2) oauthInst.authorizeUser(url="https://api.twitter.com/oauth/authorize") # Request Access Token (Step3) oauthInst.accessToken(url="https://api.twitter.com/oauth/access_token") # Access Resources (Step 4) oauthInst.accessResource(url="https://api.twitter.com/1.1/account/settings.json")
Comments
Post a Comment