OAuth 1.0a Authorization Header | Reference Material (2024)

OAuth 1.0a uses the Authorization header as a way to authenticate the client to the OAuth Provider itself. In OAuth 2.0, this header isn't used for authentication with the OAuth Provider. Instead, OAuth 2.0 uses query parameters in the payload.

Both OAuth versions use the Authorization header when sending API requests to the Resource Server.

Step 1: Requesting and Receiving a Request Token

Description:

Identifies the client (oauth_consumer_key), identifies the signature method used; uniquely identifies the message with a timestamp and nonce; specifies the URL the user will be redirected back to after authentication (oauth_callback); includes a signature.

Example:

Step 2: Getting the User's Authorization

The client doesn't send the Authorization Header in Step 2, which relates to the user authentication at the Resource Owner Authorization endpoint.

Step 3: Exchanging Request Token and OAuth Verifier for Access Token

Description:

Includes oauth_token, the temporary credentials, and oauth_verifier, indicating that the user has been verified.

Example:

oauth_consumer_key="dpf43f3p2l4k3l03",oauth_token="hh5s93j4hdidpola",oauth_signature_method="HMAC-SHA1",oauth_timestamp="137131201",oauth_nonce="walatlh",oauth_verifier="hfdp7dh39dks9884",oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"

Step 4: Processing the Transaction

Description:

Includes oauth_token, the value of which is now the token credentials.

Example:

oauth_consumer_key="dpf43f3p2l4k3l03",oauth_token="nnch734d00sl2jdk",oauth_signature_method="HMAC-SHA1",oauth_timestamp="137131202",oauth_nonce="chapoH",oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"

In some cases where certain standard OAuth activities are supported by both POST and GET operations, the key values can be sent in query parameters for GET, in the payload for POST, or in the Authorization header in both cases.

Parameter definitions

Below are the parameters that might be part of the OAuth 1.0a Authorization header, and their definitions.

realm

The domain name for the OAuth provider. For more information, see http://tools.ietf.org/html/rfc2617#section-1.2.

oauth_callback

An absolute URI back to which the server will redirect the resource owner when the Resource Owner Authorization is completed. If the client is unable to receive callbacks or a callback URI has been established via other means, the parameter value MUST be set to "oob" (case sensitive), to indicate an out-of-band configuration.

oauth_consumer_key

The client identifier.

oauth_nonce

The random nonce value. The nonce value must be unique across all requests with the same timestamp, client credentials, and token combinations.

oauth_signature_method

The signature method. For valid values, see OAuth Signature Method (1.0a) values.

oauth_signature

The signature base string: a consistent, reproducible concatenation of several of the HTTP request elements into a single string. The string is used as an input to the signature method. The signature base string includes the following components of the HTTP request:

The HTTP request method (GET or POST).
The authority, as declared by the HTTP host field in the request header.
The path and query components of the request resource URI.
The protocol parameters, excluding the oauth_signature.

The signature base string does not cover the entire HTTP request. Most important, it does not include the entity-body in most requests, nor does it include most HTTP entity-headers. It is important to note that the server cannot verify the authenticity of the excluded request components without using additional protections such as SSL/TLS or other methods.

oauth_timestamp

The timestamp value. Must be a positive integer. The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT.

oauth_token

The temporary credentials identifier, if applicable. Returned in the response to Step 1; used in request and response for Step 2, and sent in the request message for Step 3.

oauth_token_secret

Secret value for the temporary credentials identifier, if applicable. If in use, sent whenever oauth_token is sent (see above).

oauth_verifier

A parameter verifying that the user has been authenticated and has granted the requested permission. Example: hfdp7dh39dks9884. Sent in the response to Step 2.

oauth_version

An optional parameter which, if present, must be set to 1.0.

OAuth 1.0a Authorization Header | Reference Material (2024)

FAQs

What is OAuth 1.0 authentication? ›

OAuth 1 can be used for authorization of various applications or manual user access. The general way it works is providing an application with an access token (which represents a user's permission for the client to access their data) for request authentication.

Read On ›

Is OAuth1 obsolete? ›

Effective July 1, 2021, OAuth 1.0a will no longer be certified.

Discover More Details ›

What is OAuth 1.0 in Postman? ›

OAuth 1.0 is also called three-legged. It allows easy communication between two services and the user. To demonstrate the example we will need two services and a user. You are the user. The first service is the Postman Application.

How to generate an OAuth1 signature? ›

The signature key for HMAC-SHA1 is created by taking the client/consumer secret and the token secret, URL-encoding each, then concatenating them with & into a string. This process is always the same, even if you don't have a token yet.

See Details ›

Is OAuth authentication or authorization? ›

OAuth is about authorization and not authentication. Authorization is asking for permission to do stuff. Authentication is about proving you are the correct person because you know things.

Find Out More ›

What is the basic authentication authorization header? ›

In basic HTTP authentication, a request contains a header field in the form of Authorization: Basic <credentials> , where <credentials> is the Base64 encoding of ID and password joined by a single colon : .

Tell Me More ›

What is the difference between OAuth 1 and OAuth2? ›

OAuth 1.0 has a consumer, service provider, and user, and it doesn't explicitly separate the roles of the resource server and authorization server. On the other hand, OAuth 2.0 has a client, authorization server, resource server, and resource owner. That's why these versions don't have backward compatibility.

Show Me More ›

What are the benefits of OAuth2 over oauth1? ›

Main Benefits Gained from Using OAuth 2

Enhanced Security: OAuth 2.0 eliminates the need for shared secrets between the client and resource server, a potential vulnerability in OAuth 1.0. It relies on access tokens with limited lifespans and refresh tokens for extended access, improving overall security.

Explore More ›

What is authorization header in Postman? ›

Request authorization in Postman

Auth data can be included in the header, body, or as parameters of a request. If you enter your auth details in the Authorization tab of a request, Postman will automatically populate the relevant parts of the request for your chosen auth type.

What is the difference between OAuth and standard authentication? ›

Unlike Basic Auth, where you have to share your password with people who need to access your user account, OAuth doesn't share password data. Instead, OAuth uses authorization tokens to verify an identity between consumers and service providers.

Show Me More ›

What is the difference between OAuth 1.0 and OAuth 2.0 twitter? ›

Compared to OAuth 1.0a user context authentication, OAuth 2.0 Bearer Token does not involve any Twitter user(s). This authentication is typically used for read-only access to publicly available information (for example, accessing public Tweets).

Read The Full Story ›

What is nonce in OAuth? ›

A random or pseudo-random number that is generated for a specific use, typically for cryptographic communication. The Nonce is used to protect against replay attacks by ensuring that a message or data cannot be reused or retransmitted.

See Details ›

What is access token secret? ›

Secret Access Tokens:

You must create a new secret token with secret scopes. If you choose to add any secret scopes to a new token, you will have only one chance to view the token. You should copy the token and save it in a secure location. Secret token API requests should never be exposed to the client.

Get More Info Here ›

How to generate OAuth signature using HMAC-SHA1 in postman? ›

In the Authorization tab for a request, select OAuth 1.0 from the Type dropdown list. Select a Signature Method from the dropdown list. This will determine which parameters to include with your request. Postman supports HMAC-SHA1 , HMAC-SHA256 , HMAC-SHA512 , RSA-SHA1 , RSA-SHA256 , RSA-SHA512 , and PLAINTEXT .

What is OAuth and how does it work? ›

OAuth never shares password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

Why is a bad idea to use OAuth 2.0 for authentication? ›

Perhaps the most infamous OAuth-based vulnerability is when the configuration of the OAuth service itself enables attackers to steal authorization codes or access tokens associated with other users' accounts. By stealing a valid code or token, the attacker may be able to access the victim's data.

View Details ›

What is an example of OAuth 2.0 authentication? ›

OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives. This OAuth 2.0 flow is called the implicit grant flow.