Understanding OAuth : Complete Tutorial

OAuth uses specific terminology to represent the developer and the entity that provisions authorization. In this case, both are Drupal with the OAuth module installed. The application or site that requires access to user data is known as the Consumer, whereas Drupal website where data is stored is known as the Service Provider.

Step 1

Cool Auth

This feature is only available in version 6.x-dev (branch 1.0) of the OAuth module and not included in branch 2.0 yet

Cool Auth system was first introduced with OAuth module (branch 1.0) in Drupal. It provides a security layer over Drupal and OAuth system in Drupal. It lets user/developer to register their applications with their user accounts on Drupal based websites and produce application_key + application_key_secret pair corresponding to it.

Specifications of COOL-AUTH system

1. Provides a system for users/developers so that they can register their websites/applications over your website to use OAuth system on your website and can produce a pair of application_key + application_key_secret corresponding to it.
2. Use a combination of application_key and application_sig(explain-later) to authenticate application who is requesting OAuth access to website on behalf of some user's account.
3. Administrator uses these cool-auth registered applications to keep track of data flow from their websites via OAuth.

How this system works with OAuth

COOL-AUTH system over OAuth module makes available a very powerful API system to share site's resources across web on behalf of user's account.

In first step of the OAuth call (i.e. request token call) two additional parameters are needed to be passed to authenticate registered application via cool-auth system. The first additional parameter is "application_key" which is cool-auth registered application key. Second parameter is "application_sig" - which is md5 hash of your application_secret(cool-auth appl. secret) and "nonce" (which is a randomly generated string passed in an OAuth request).

Parameters to include in first call (request token call - when using cool auth):

• application_key: This is the cool-auth application key which is passed as parameters for authentication of the registered application
• application_sig: This is a signature which is a md5 hash of oauth_nonce and application_secret(cool-auth app. secret)
• $application_secret = md5($application_secret.$oauth_nonce);

Please use the modified OAuth library as present in the OAuth module to use this feature - these two features are included by library support only.

Note: Rest of tutorial is according to branch 2.0 of the OAuth module i.e. without cool-auth

Step 2 : Get a Request Token

Request URL
http://serviceprovider.com/webservice/token_request
Supported Methods
GET , POST

https://serviceprovider.com/webservice/token_request?
oauth_nonce=ce2130523f788f313f76314ed3965ea6 &
oauth_timestamp=1202956957 &
oauth_consumer_key=123456891011121314151617181920 &
oauth_signature_method=plaintext &
oauth_signature=abcdef &
oauth_version=1.0

(Extra parameters eg. an issue time of time bound token, language support etc. may be included but is not supported at this time.)

The key request parameters are shown below:

• Request Parameter Description
• oauth_consumer_key: Consumer Key provided to you when you signed up.
• oauth_nonce: A random string (OAuth Core 1.0 Spec, Section 8)
• oauth_signature_method: The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
• oauth_signature: The Consumer Secret that was issued to the application.
• oauth_timestamp: Current timestamp of the request. This value must be +to the current time.
• oauth_version: OAuth version (1.0).

The Drupal website will response according to correct request as

oauth_token=ndfjkvni834hini8934hf98&oauth_token_secret= vndjknio38943348v3oinkernv

Step 3 : Get User Authorization (token_auth)

Authorization URL
http://serviceprovider.com/webservice/token_auth

Supported Methods:
GET, POST

After getting a request token from service provider user will be redirected to service provider. Service Provider then presents their users with a page asking them to give permission to your application to access their data. The authorization page will only ask for permission to a limited amount of user data, based on the access scopes you specified by admins ;) .

Example URL :

http://sb2.tut2tech.info/webservice/token_auth
?oauth_token=cPZTBtYcSPa24nfpUeiTfjWNNVNxLqEf&
oauth_callback=http://client/application.com/oauth-section

• oauth_token: The Request Token that the Service Provider returns as a response to the request_token call. The Request Token is required during the User authorization process.
• oauth_callback: Service Provider redirects users to this URL after they authorize access to their private data.

Step 4 : Exchange a request token with an access token

URL
http://serviceprovder.com/webservice/token_access

Example of a URI request for an Access Token :

http://serviceprovider.com/webservice/token_access
?oauth_version=1.0&
oauth_nonce=f6c9bb311de06f968658c0531e337f55&
oauth_timestamp=1229417277&
oauth_consumer_key=key&
oauth_token=requestkey&
oauth_signature_method=HMAC-SHA1&
oauth_signature=ivwrVYhKNpFMxgwJuc2h%2FAmfQdE%3D
oauth_callback=http://application.com

Parameters:

• oauth_consumer_key: Consumer Key provided to you when you signed up.
• oauth_signature_method: The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
• oauth_nonce: A random string (OAuth Core 1.0 Spec, Section 8)
• oauth_signature: The Consumer Secret that was issued to the application.
• oauth_timestamp: Current timestamp of the request. This value must be + seconds of the current time.
• oauth_version: OAuth version (1.0).
• oauth_token: The Request Token, which Is required during the User authorization process and is short enough for the end-user to easily enter. The Request Token Is provided in the response to the get_request_token request.

A successful request will return :

oauth_token=accesskey&oauth_token_secret=accesssecret

Once you have an Access Token, you can use it towards requests to Web services OR ServicesAPI. For more information refer their documentation ;) .