This flow is significantly different from OAuth 1.0 and only works for consumers that can receive callback URLs. This flow is very similar to that used for AuthSub, BBAuth, OpenID and SAML.
Differences from the OAuth 1.0 protocol are marked in red.
0. OAuth request token step is skipped.
1. Consumer signs approval URL using normal OAuth signature with parameters:
oauth_consumer_key
oauth_signature
oauth_signature_method
oauth_timestamp
oauth_nonce
oauth_version
oauth_callback: callback URL for service provider
[Signed URLs will expire in a few minutes, so most consumers will implement as follows:
a) user clicks on "start oauth dance" link, which opens a popup window.
c) that signs a URL and redirects to service provider.]
2. Consumer redirects user to approval URL.
3. Service provider receives approval URL and verifies signature on approval URL.
These approval URLs will expire quickly, which is likely to break the "back" button on browsers. In order to avoid that service providers will probably redirect from the approval URL to a different page immediately.
4. Service provider displays approval page to user, requests user confirmation.
5. After the user confirms, the service provider generates a callback token and associates the callback token with the OAuth consumer key. The service provider then redirects the user to the oauth_callback URL with the callback token.
6. OAuth consumer receives the callback URL and the callback token.
7. OAuth consumer sends an access token request to the SP. The request includes
oauth_consumer
oauth_signature
oauth_signature_method
oauth_timestamp
oauth_nonce
oauth_version:
oauth_token: the callback token
8. The service checks the signature and verifies that the callback token was
a) issued to the appropriate consumer
b) approved by the user
The service provider then returns an access token and token secret to the consumer.
9. Consumer uses token and token secret per-usual.
Comments (0)
You don't have permission to comment on this page.