This wiki is no longer active and is left here for historical purposes. Please visit oauth.net for up-to-date information.

Signed Approval URLs


This flow is significantly different from OAuth 1.0 and only works for consumers that can receive callback URLs.  This flow is very similar to that used for AuthSub, BBAuth, OpenID and SAML.
 
Differences from the OAuth 1.0 protocol are marked in red.
 
0. OAuth request token step is skipped.
 
1. Consumer signs approval URL using normal OAuth signature with parameters:
    oauth_consumer_key
    oauth_signature
    oauth_signature_method
    oauth_timestamp
    oauth_nonce
    oauth_version
    oauth_callback: callback URL for service provider
 
    [Signed URLs will expire in a few minutes, so most consumers will implement as follows:
    a) user clicks on "start oauth dance" link, which opens a popup window.
    b) popup window goes to http://consumer/start_oauth_dance.
    c) that signs a URL and redirects to service provider.]
 
2. Consumer redirects user to approval URL.
 
3. Service provider receives approval URL and verifies signature on approval URL.
    
    These approval URLs will expire quickly, which is likely to break the "back" button on browsers.  In order to avoid that service providers will probably redirect from the approval URL to a different page immediately.
    
4.  Service provider displays approval page to user, requests user confirmation.
 
5.  After the user confirms, the service provider generates a callback token and associates the callback token with the OAuth consumer key.  The service provider then redirects the user to the oauth_callback URL with the callback token.
 
6.  OAuth consumer receives the callback URL and the callback token.
 
7.  OAuth consumer sends an access token request to the SP.  The request includes
    oauth_consumer
    oauth_signature
    oauth_signature_method
    oauth_timestamp
    oauth_nonce
    oauth_version:
    oauth_token: the callback token
 
8.  The service checks the signature and verifies that the callback token was
    a) issued to the appropriate consumer
    b) approved by the user
 
    The service provider then returns an access token and token secret to the consumer.
 

9.  Consumer uses token and token secret per-usual.