mirror of
https://github.com/OpenXE-org/OpenXE.git
synced 2025-01-01 01:20:29 +01:00
2132 lines
79 KiB
Plaintext
2132 lines
79 KiB
Plaintext
|
||
|
||
|
||
|
||
|
||
|
||
Internet Engineering Task Force (IETF) E. Hammer-Lahav, Ed.
|
||
Request for Comments: 5849 April 2010
|
||
Category: Informational
|
||
ISSN: 2070-1721
|
||
|
||
|
||
The OAuth 1.0 Protocol
|
||
|
||
Abstract
|
||
|
||
OAuth provides a method for clients to access server resources on
|
||
behalf of a resource owner (such as a different client or an end-
|
||
user). It also provides a process for end-users to authorize third-
|
||
party access to their server resources without sharing their
|
||
credentials (typically, a username and password pair), using user-
|
||
agent redirections.
|
||
|
||
Status of This Memo
|
||
|
||
This document is not an Internet Standards Track specification; it is
|
||
published for informational purposes.
|
||
|
||
This document is a product of the Internet Engineering Task Force
|
||
(IETF). It represents the consensus of the IETF community. It has
|
||
received public review and has been approved for publication by the
|
||
Internet Engineering Steering Group (IESG). Not all documents
|
||
approved by the IESG are a candidate for any level of Internet
|
||
Standard; see Section 2 of RFC 5741.
|
||
|
||
Information about the current status of this document, any errata,
|
||
and how to provide feedback on it may be obtained at
|
||
http://www.rfc-editor.org/info/rfc5849.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (c) 2010 IETF Trust and the persons identified as the
|
||
document authors. All rights reserved.
|
||
|
||
This document is subject to BCP 78 and the IETF Trust's Legal
|
||
Provisions Relating to IETF Documents
|
||
(http://trustee.ietf.org/license-info) in effect on the date of
|
||
publication of this document. Please review these documents
|
||
carefully, as they describe your rights and restrictions with respect
|
||
to this document. Code Components extracted from this document must
|
||
include Simplified BSD License text as described in Section 4.e of
|
||
the Trust Legal Provisions and are provided without warranty as
|
||
described in the Simplified BSD License.
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 1]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction ....................................................3
|
||
1.1. Terminology ................................................4
|
||
1.2. Example ....................................................5
|
||
1.3. Notational Conventions .....................................7
|
||
2. Redirection-Based Authorization .................................8
|
||
2.1. Temporary Credentials ......................................9
|
||
2.2. Resource Owner Authorization ..............................10
|
||
2.3. Token Credentials .........................................12
|
||
3. Authenticated Requests .........................................14
|
||
3.1. Making Requests ...........................................14
|
||
3.2. Verifying Requests ........................................16
|
||
3.3. Nonce and Timestamp .......................................17
|
||
3.4. Signature .................................................18
|
||
3.4.1. Signature Base String ..............................18
|
||
3.4.2. HMAC-SHA1 ..........................................25
|
||
3.4.3. RSA-SHA1 ...........................................25
|
||
3.4.4. PLAINTEXT ..........................................26
|
||
3.5. Parameter Transmission ....................................26
|
||
3.5.1. Authorization Header ...............................27
|
||
3.5.2. Form-Encoded Body ..................................28
|
||
3.5.3. Request URI Query ..................................28
|
||
3.6. Percent Encoding ..........................................29
|
||
4. Security Considerations ........................................29
|
||
4.1. RSA-SHA1 Signature Method .................................29
|
||
4.2. Confidentiality of Requests ...............................30
|
||
4.3. Spoofing by Counterfeit Servers ...........................30
|
||
4.4. Proxying and Caching of Authenticated Content .............30
|
||
4.5. Plaintext Storage of Credentials ..........................30
|
||
4.6. Secrecy of the Client Credentials .........................31
|
||
4.7. Phishing Attacks ..........................................31
|
||
4.8. Scoping of Access Requests ................................31
|
||
4.9. Entropy of Secrets ........................................32
|
||
4.10. Denial-of-Service / Resource-Exhaustion Attacks ..........32
|
||
4.11. SHA-1 Cryptographic Attacks ..............................33
|
||
4.12. Signature Base String Limitations ........................33
|
||
4.13. Cross-Site Request Forgery (CSRF) ........................33
|
||
4.14. User Interface Redress ...................................34
|
||
4.15. Automatic Processing of Repeat Authorizations ............34
|
||
5. Acknowledgments ................................................35
|
||
Appendix A. Differences from the Community Edition ...............36
|
||
6. References .....................................................37
|
||
6.1. Normative References ......................................37
|
||
6.2. Informative References ....................................38
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 2]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
1. Introduction
|
||
|
||
The OAuth protocol was originally created by a small community of web
|
||
developers from a variety of websites and other Internet services who
|
||
wanted to solve the common problem of enabling delegated access to
|
||
protected resources. The resulting OAuth protocol was stabilized at
|
||
version 1.0 in October 2007, and revised in June 2009 (Revision A) as
|
||
published at <http://oauth.net/core/1.0a>.
|
||
|
||
This specification provides an informational documentation of OAuth
|
||
Core 1.0 Revision A, addresses several errata reported since that
|
||
time, and makes numerous editorial clarifications. While this
|
||
specification is not an item of the IETF's OAuth Working Group, which
|
||
at the time of writing is working on an OAuth version that can be
|
||
appropriate for publication on the standards track, it has been
|
||
transferred to the IETF for change control by authors of the original
|
||
work.
|
||
|
||
In the traditional client-server authentication model, the client
|
||
uses its credentials to access its resources hosted by the server.
|
||
With the increasing use of distributed web services and cloud
|
||
computing, third-party applications require access to these server-
|
||
hosted resources.
|
||
|
||
OAuth introduces a third role to the traditional client-server
|
||
authentication model: the resource owner. In the OAuth model, the
|
||
client (which is not the resource owner, but is acting on its behalf)
|
||
requests access to resources controlled by the resource owner, but
|
||
hosted by the server. In addition, OAuth allows the server to verify
|
||
not only the resource owner authorization, but also the identity of
|
||
the client making the request.
|
||
|
||
OAuth provides a method for clients to access server resources on
|
||
behalf of a resource owner (such as a different client or an end-
|
||
user). It also provides a process for end-users to authorize third-
|
||
party access to their server resources without sharing their
|
||
credentials (typically, a username and password pair), using user-
|
||
agent redirections.
|
||
|
||
For example, a web user (resource owner) can grant a printing service
|
||
(client) access to her private photos stored at a photo sharing
|
||
service (server), without sharing her username and password with the
|
||
printing service. Instead, she authenticates directly with the photo
|
||
sharing service which issues the printing service delegation-specific
|
||
credentials.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 3]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
In order for the client to access resources, it first has to obtain
|
||
permission from the resource owner. This permission is expressed in
|
||
the form of a token and matching shared-secret. The purpose of the
|
||
token is to make it unnecessary for the resource owner to share its
|
||
credentials with the client. Unlike the resource owner credentials,
|
||
tokens can be issued with a restricted scope and limited lifetime,
|
||
and revoked independently.
|
||
|
||
This specification consists of two parts. The first part defines a
|
||
redirection-based user-agent process for end-users to authorize
|
||
client access to their resources, by authenticating directly with the
|
||
server and provisioning tokens to the client for use with the
|
||
authentication method. The second part defines a method for making
|
||
authenticated HTTP [RFC2616] requests using two sets of credentials,
|
||
one identifying the client making the request, and a second
|
||
identifying the resource owner on whose behalf the request is being
|
||
made.
|
||
|
||
The use of OAuth with any transport protocol other than [RFC2616] is
|
||
undefined.
|
||
|
||
1.1. Terminology
|
||
|
||
client
|
||
An HTTP client (per [RFC2616]) capable of making OAuth-
|
||
authenticated requests (Section 3).
|
||
|
||
server
|
||
An HTTP server (per [RFC2616]) capable of accepting OAuth-
|
||
authenticated requests (Section 3).
|
||
|
||
protected resource
|
||
An access-restricted resource that can be obtained from the
|
||
server using an OAuth-authenticated request (Section 3).
|
||
|
||
resource owner
|
||
An entity capable of accessing and controlling protected
|
||
resources by using credentials to authenticate with the server.
|
||
|
||
credentials
|
||
Credentials are a pair of a unique identifier and a matching
|
||
shared secret. OAuth defines three classes of credentials:
|
||
client, temporary, and token, used to identify and authenticate
|
||
the client making the request, the authorization request, and
|
||
the access grant, respectively.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 4]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
token
|
||
A unique identifier issued by the server and used by the client
|
||
to associate authenticated requests with the resource owner
|
||
whose authorization is requested or has been obtained by the
|
||
client. Tokens have a matching shared-secret that is used by
|
||
the client to establish its ownership of the token, and its
|
||
authority to represent the resource owner.
|
||
|
||
The original community specification used a somewhat different
|
||
terminology that maps to this specifications as follows (original
|
||
community terms provided on left):
|
||
|
||
Consumer: client
|
||
|
||
Service Provider: server
|
||
|
||
User: resource owner
|
||
|
||
Consumer Key and Secret: client credentials
|
||
|
||
Request Token and Secret: temporary credentials
|
||
|
||
Access Token and Secret: token credentials
|
||
|
||
1.2. Example
|
||
|
||
Jane (resource owner) has recently uploaded some private vacation
|
||
photos (protected resources) to her photo sharing site
|
||
'photos.example.net' (server). She would like to use the
|
||
'printer.example.com' website (client) to print one of these photos.
|
||
Typically, Jane signs into 'photos.example.net' using her username
|
||
and password.
|
||
|
||
However, Jane does not wish to share her username and password with
|
||
the 'printer.example.com' website, which needs to access the photo in
|
||
order to print it. In order to provide its users with better
|
||
service, 'printer.example.com' has signed up for a set of
|
||
'photos.example.net' client credentials ahead of time:
|
||
|
||
Client Identifier
|
||
dpf43f3p2l4k3l03
|
||
|
||
Client Shared-Secret:
|
||
kd94hf93k423kf44
|
||
|
||
The 'printer.example.com' website has also configured its application
|
||
to use the protocol endpoints listed in the 'photos.example.net' API
|
||
documentation, which use the "HMAC-SHA1" signature method:
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 5]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
Temporary Credential Request
|
||
https://photos.example.net/initiate
|
||
|
||
Resource Owner Authorization URI:
|
||
https://photos.example.net/authorize
|
||
|
||
Token Request URI:
|
||
https://photos.example.net/token
|
||
|
||
Before 'printer.example.com' can ask Jane to grant it access to the
|
||
photos, it must first establish a set of temporary credentials with
|
||
'photos.example.net' to identify the delegation request. To do so,
|
||
the client sends the following HTTPS [RFC2818] request to the server:
|
||
|
||
POST /initiate HTTP/1.1
|
||
Host: photos.example.net
|
||
Authorization: OAuth realm="Photos",
|
||
oauth_consumer_key="dpf43f3p2l4k3l03",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131200",
|
||
oauth_nonce="wIjqoS",
|
||
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
|
||
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
|
||
|
||
The server validates the request and replies with a set of temporary
|
||
credentials in the body of the HTTP response (line breaks are for
|
||
display purposes only):
|
||
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03&
|
||
oauth_callback_confirmed=true
|
||
|
||
The client redirects Jane's user-agent to the server's Resource Owner
|
||
Authorization endpoint to obtain Jane's approval for accessing her
|
||
private photos:
|
||
|
||
https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola
|
||
|
||
The server requests Jane to sign in using her username and password
|
||
and if successful, asks her to approve granting 'printer.example.com'
|
||
access to her private photos. Jane approves the request and her
|
||
user-agent is redirected to the callback URI provided by the client
|
||
in the previous request (line breaks are for display purposes only):
|
||
|
||
http://printer.example.com/ready?
|
||
oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 6]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
The callback request informs the client that Jane completed the
|
||
authorization process. The client then requests a set of token
|
||
credentials using its temporary credentials (over a secure Transport
|
||
Layer Security (TLS) channel):
|
||
|
||
POST /token HTTP/1.1
|
||
Host: photos.example.net
|
||
Authorization: OAuth realm="Photos",
|
||
oauth_consumer_key="dpf43f3p2l4k3l03",
|
||
oauth_token="hh5s93j4hdidpola",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131201",
|
||
oauth_nonce="walatlh",
|
||
oauth_verifier="hfdp7dh39dks9884",
|
||
oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"
|
||
|
||
The server validates the request and replies with a set of token
|
||
credentials in the body of the HTTP response:
|
||
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00
|
||
|
||
With a set of token credentials, the client is now ready to request
|
||
the private photo:
|
||
|
||
GET /photos?file=vacation.jpg&size=original HTTP/1.1
|
||
Host: photos.example.net
|
||
Authorization: OAuth realm="Photos",
|
||
oauth_consumer_key="dpf43f3p2l4k3l03",
|
||
oauth_token="nnch734d00sl2jdk",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131202",
|
||
oauth_nonce="chapoH",
|
||
oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"
|
||
|
||
The 'photos.example.net' server validates the request and responds
|
||
with the requested photo. 'printer.example.com' is able to continue
|
||
accessing Jane's private photos using the same set of token
|
||
credentials for the duration of Jane's authorization, or until Jane
|
||
revokes access.
|
||
|
||
1.3. Notational Conventions
|
||
|
||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
||
document are to be interpreted as described in [RFC2119].
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 7]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
2. Redirection-Based Authorization
|
||
|
||
OAuth uses tokens to represent the authorization granted to the
|
||
client by the resource owner. Typically, token credentials are
|
||
issued by the server at the resource owner's request, after
|
||
authenticating the resource owner's identity (usually using a
|
||
username and password).
|
||
|
||
There are many ways in which a server can facilitate the provisioning
|
||
of token credentials. This section defines one such way, using HTTP
|
||
redirections and the resource owner's user-agent. This redirection-
|
||
based authorization method includes three steps:
|
||
|
||
1. The client obtains a set of temporary credentials from the server
|
||
(in the form of an identifier and shared-secret). The temporary
|
||
credentials are used to identify the access request throughout
|
||
the authorization process.
|
||
|
||
2. The resource owner authorizes the server to grant the client's
|
||
access request (identified by the temporary credentials).
|
||
|
||
3. The client uses the temporary credentials to request a set of
|
||
token credentials from the server, which will enable it to access
|
||
the resource owner's protected resources.
|
||
|
||
The server MUST revoke the temporary credentials after being used
|
||
once to obtain the token credentials. It is RECOMMENDED that the
|
||
temporary credentials have a limited lifetime. Servers SHOULD enable
|
||
resource owners to revoke token credentials after they have been
|
||
issued to clients.
|
||
|
||
In order for the client to perform these steps, the server needs to
|
||
advertise the URIs of the following three endpoints:
|
||
|
||
Temporary Credential Request
|
||
The endpoint used by the client to obtain a set of temporary
|
||
credentials as described in Section 2.1.
|
||
|
||
Resource Owner Authorization
|
||
The endpoint to which the resource owner is redirected to grant
|
||
authorization as described in Section 2.2.
|
||
|
||
Token Request
|
||
The endpoint used by the client to request a set of token
|
||
credentials using the set of temporary credentials as described
|
||
in Section 2.3.
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 8]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
The three URIs advertised by the server MAY include a query component
|
||
as defined by [RFC3986], Section 3, but if present, the query MUST
|
||
NOT contain any parameters beginning with the "oauth_" prefix, to
|
||
avoid conflicts with the protocol parameters added to the URIs when
|
||
used.
|
||
|
||
The methods in which the server advertises and documents its three
|
||
endpoints are beyond the scope of this specification. Clients should
|
||
avoid making assumptions about the size of tokens and other server-
|
||
generated values, which are left undefined by this specification. In
|
||
addition, protocol parameters MAY include values that require
|
||
encoding when transmitted. Clients and servers should not make
|
||
assumptions about the possible range of their values.
|
||
|
||
2.1. Temporary Credentials
|
||
|
||
The client obtains a set of temporary credentials from the server by
|
||
making an authenticated (Section 3) HTTP "POST" request to the
|
||
Temporary Credential Request endpoint (unless the server advertises
|
||
another HTTP request method for the client to use). The client
|
||
constructs a request URI by adding the following REQUIRED parameter
|
||
to the request (in addition to the other protocol parameters, using
|
||
the same parameter transmission method):
|
||
|
||
oauth_callback: An absolute URI back to which the server will
|
||
redirect the resource owner when the Resource Owner
|
||
Authorization step (Section 2.2) is completed. If
|
||
the client is unable to receive callbacks or a
|
||
callback URI has been established via other means,
|
||
the parameter value MUST be set to "oob" (case
|
||
sensitive), to indicate an out-of-band
|
||
configuration.
|
||
|
||
Servers MAY specify additional parameters.
|
||
|
||
When making the request, the client authenticates using only the
|
||
client credentials. The client MAY omit the empty "oauth_token"
|
||
protocol parameter from the request and MUST use the empty string as
|
||
the token secret value.
|
||
|
||
Since the request results in the transmission of plain text
|
||
credentials in the HTTP response, the server MUST require the use of
|
||
a transport-layer mechanisms such as TLS or Secure Socket Layer (SSL)
|
||
(or a secure channel with equivalent protections).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 9]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
For example, the client makes the following HTTPS request:
|
||
|
||
POST /request_temp_credentials HTTP/1.1
|
||
Host: server.example.com
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="jd83jd92dhsh93js",
|
||
oauth_signature_method="PLAINTEXT",
|
||
oauth_callback="http%3A%2F%2Fclient.example.net%2Fcb%3Fx%3D1",
|
||
oauth_signature="ja893SD9%26"
|
||
|
||
The server MUST verify (Section 3.2) the request and if valid,
|
||
respond back to the client with a set of temporary credentials (in
|
||
the form of an identifier and shared-secret). The temporary
|
||
credentials are included in the HTTP response body using the
|
||
"application/x-www-form-urlencoded" content type as defined by
|
||
[W3C.REC-html40-19980424] with a 200 status code (OK).
|
||
|
||
The response contains the following REQUIRED parameters:
|
||
|
||
oauth_token
|
||
The temporary credentials identifier.
|
||
|
||
oauth_token_secret
|
||
The temporary credentials shared-secret.
|
||
|
||
oauth_callback_confirmed
|
||
MUST be present and set to "true". The parameter is used to
|
||
differentiate from previous versions of the protocol.
|
||
|
||
Note that even though the parameter names include the term 'token',
|
||
these credentials are not token credentials, but are used in the next
|
||
two steps in a similar manner to token credentials.
|
||
|
||
For example (line breaks are for display purposes only):
|
||
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
oauth_token=hdk48Djdsa&oauth_token_secret=xyz4992k83j47x0b&
|
||
oauth_callback_confirmed=true
|
||
|
||
2.2. Resource Owner Authorization
|
||
|
||
Before the client requests a set of token credentials from the
|
||
server, it MUST send the user to the server to authorize the request.
|
||
The client constructs a request URI by adding the following REQUIRED
|
||
query parameter to the Resource Owner Authorization endpoint URI:
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 10]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
oauth_token
|
||
The temporary credentials identifier obtained in Section 2.1 in
|
||
the "oauth_token" parameter. Servers MAY declare this
|
||
parameter as OPTIONAL, in which case they MUST provide a way
|
||
for the resource owner to indicate the identifier through other
|
||
means.
|
||
|
||
Servers MAY specify additional parameters.
|
||
|
||
The client directs the resource owner to the constructed URI using an
|
||
HTTP redirection response, or by other means available to it via the
|
||
resource owner's user-agent. The request MUST use the HTTP "GET"
|
||
method.
|
||
|
||
For example, the client redirects the resource owner's user-agent to
|
||
make the following HTTPS request:
|
||
|
||
GET /authorize_access?oauth_token=hdk48Djdsa HTTP/1.1
|
||
Host: server.example.com
|
||
|
||
The way in which the server handles the authorization request,
|
||
including whether it uses a secure channel such as TLS/SSL is beyond
|
||
the scope of this specification. However, the server MUST first
|
||
verify the identity of the resource owner.
|
||
|
||
When asking the resource owner to authorize the requested access, the
|
||
server SHOULD present to the resource owner information about the
|
||
client requesting access based on the association of the temporary
|
||
credentials with the client identity. When displaying any such
|
||
information, the server SHOULD indicate if the information has been
|
||
verified.
|
||
|
||
After receiving an authorization decision from the resource owner,
|
||
the server redirects the resource owner to the callback URI if one
|
||
was provided in the "oauth_callback" parameter or by other means.
|
||
|
||
To make sure that the resource owner granting access is the same
|
||
resource owner returning back to the client to complete the process,
|
||
the server MUST generate a verification code: an unguessable value
|
||
passed to the client via the resource owner and REQUIRED to complete
|
||
the process. The server constructs the request URI by adding the
|
||
following REQUIRED parameters to the callback URI query component:
|
||
|
||
oauth_token
|
||
The temporary credentials identifier received from the client.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 11]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
oauth_verifier
|
||
The verification code.
|
||
|
||
If the callback URI already includes a query component, the server
|
||
MUST append the OAuth parameters to the end of the existing query.
|
||
|
||
For example, the server redirects the resource owner's user-agent to
|
||
make the following HTTP request:
|
||
|
||
GET /cb?x=1&oauth_token=hdk48Djdsa&oauth_verifier=473f82d3 HTTP/1.1
|
||
Host: client.example.net
|
||
|
||
If the client did not provide a callback URI, the server SHOULD
|
||
display the value of the verification code, and instruct the resource
|
||
owner to manually inform the client that authorization is completed.
|
||
If the server knows a client to be running on a limited device, it
|
||
SHOULD ensure that the verifier value is suitable for manual entry.
|
||
|
||
2.3. Token Credentials
|
||
|
||
The client obtains a set of token credentials from the server by
|
||
making an authenticated (Section 3) HTTP "POST" request to the Token
|
||
Request endpoint (unless the server advertises another HTTP request
|
||
method for the client to use). The client constructs a request URI
|
||
by adding the following REQUIRED parameter to the request (in
|
||
addition to the other protocol parameters, using the same parameter
|
||
transmission method):
|
||
|
||
oauth_verifier
|
||
The verification code received from the server in the previous
|
||
step.
|
||
|
||
When making the request, the client authenticates using the client
|
||
credentials as well as the temporary credentials. The temporary
|
||
credentials are used as a substitute for token credentials in the
|
||
authenticated request and transmitted using the "oauth_token"
|
||
parameter.
|
||
|
||
Since the request results in the transmission of plain text
|
||
credentials in the HTTP response, the server MUST require the use of
|
||
a transport-layer mechanism such as TLS or SSL (or a secure channel
|
||
with equivalent protections).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 12]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
For example, the client makes the following HTTPS request:
|
||
|
||
POST /request_token HTTP/1.1
|
||
Host: server.example.com
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="jd83jd92dhsh93js",
|
||
oauth_token="hdk48Djdsa",
|
||
oauth_signature_method="PLAINTEXT",
|
||
oauth_verifier="473f82d3",
|
||
oauth_signature="ja893SD9%26xyz4992k83j47x0b"
|
||
|
||
The server MUST verify (Section 3.2) the validity of the request,
|
||
ensure that the resource owner has authorized the provisioning of
|
||
token credentials to the client, and ensure that the temporary
|
||
credentials have not expired or been used before. The server MUST
|
||
also verify the verification code received from the client. If the
|
||
request is valid and authorized, the token credentials are included
|
||
in the HTTP response body using the
|
||
"application/x-www-form-urlencoded" content type as defined by
|
||
[W3C.REC-html40-19980424] with a 200 status code (OK).
|
||
|
||
The response contains the following REQUIRED parameters:
|
||
|
||
oauth_token
|
||
The token identifier.
|
||
|
||
oauth_token_secret
|
||
The token shared-secret.
|
||
|
||
For example:
|
||
|
||
HTTP/1.1 200 OK
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
oauth_token=j49ddk933skd9dks&oauth_token_secret=ll399dj47dskfjdk
|
||
|
||
The server must retain the scope, duration, and other attributes
|
||
approved by the resource owner, and enforce these restrictions when
|
||
receiving a client request made with the token credentials issued.
|
||
|
||
Once the client receives and stores the token credentials, it can
|
||
proceed to access protected resources on behalf of the resource owner
|
||
by making authenticated requests (Section 3) using the client
|
||
credentials together with the token credentials received.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 13]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3. Authenticated Requests
|
||
|
||
The HTTP authentication methods defined by [RFC2617] enable clients
|
||
to make authenticated HTTP requests. Clients using these methods
|
||
gain access to protected resources by using their credentials
|
||
(typically, a username and password pair), which allow the server to
|
||
verify their authenticity. Using these methods for delegation
|
||
requires the client to assume the role of the resource owner.
|
||
|
||
OAuth provides a method designed to include two sets of credentials
|
||
with each request, one to identify the client, and another to
|
||
identify the resource owner. Before a client can make authenticated
|
||
requests on behalf of the resource owner, it must obtain a token
|
||
authorized by the resource owner. Section 2 provides one such method
|
||
through which the client can obtain a token authorized by the
|
||
resource owner.
|
||
|
||
The client credentials take the form of a unique identifier and an
|
||
associated shared-secret or RSA key pair. Prior to making
|
||
authenticated requests, the client establishes a set of credentials
|
||
with the server. The process and requirements for provisioning these
|
||
are outside the scope of this specification. Implementers are urged
|
||
to consider the security ramifications of using client credentials,
|
||
some of which are described in Section 4.6.
|
||
|
||
Making authenticated requests requires prior knowledge of the
|
||
server's configuration. OAuth includes multiple methods for
|
||
transmitting protocol parameters with requests (Section 3.5), as well
|
||
as multiple methods for the client to prove its rightful ownership of
|
||
the credentials used (Section 3.4). The way in which clients
|
||
discover the required configuration is outside the scope of this
|
||
specification.
|
||
|
||
3.1. Making Requests
|
||
|
||
An authenticated request includes several protocol parameters. Each
|
||
parameter name begins with the "oauth_" prefix, and the parameter
|
||
names and values are case sensitive. Clients make authenticated
|
||
requests by calculating the values of a set of protocol parameters
|
||
and adding them to the HTTP request as follows:
|
||
|
||
1. The client assigns value to each of these REQUIRED (unless
|
||
specified otherwise) protocol parameters:
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 14]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
oauth_consumer_key
|
||
The identifier portion of the client credentials (equivalent to
|
||
a username). The parameter name reflects a deprecated term
|
||
(Consumer Key) used in previous revisions of the specification,
|
||
and has been retained to maintain backward compatibility.
|
||
|
||
oauth_token
|
||
The token value used to associate the request with the resource
|
||
owner. If the request is not associated with a resource owner
|
||
(no token available), clients MAY omit the parameter.
|
||
|
||
oauth_signature_method
|
||
The name of the signature method used by the client to sign the
|
||
request, as defined in Section 3.4.
|
||
|
||
oauth_timestamp
|
||
The timestamp value as defined in Section 3.3. The parameter
|
||
MAY be omitted when using the "PLAINTEXT" signature method.
|
||
|
||
oauth_nonce
|
||
The nonce value as defined in Section 3.3. The parameter MAY
|
||
be omitted when using the "PLAINTEXT" signature method.
|
||
|
||
oauth_version
|
||
OPTIONAL. If present, MUST be set to "1.0". Provides the
|
||
version of the authentication process as defined in this
|
||
specification.
|
||
|
||
2. The protocol parameters are added to the request using one of the
|
||
transmission methods listed in Section 3.5. Each parameter MUST
|
||
NOT appear more than once per request.
|
||
|
||
3. The client calculates and assigns the value of the
|
||
"oauth_signature" parameter as described in Section 3.4 and adds
|
||
the parameter to the request using the same method as in the
|
||
previous step.
|
||
|
||
4. The client sends the authenticated HTTP request to the server.
|
||
|
||
For example, to make the following HTTP request authenticated (the
|
||
"c2&a3=2+q" string in the following examples is used to illustrate
|
||
the impact of a form-encoded entity-body):
|
||
|
||
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
|
||
Host: example.com
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
c2&a3=2+q
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 15]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
The client assigns values to the following protocol parameters using
|
||
its client credentials, token credentials, the current timestamp, a
|
||
uniquely generated nonce, and indicates that it will use the
|
||
"HMAC-SHA1" signature method:
|
||
|
||
oauth_consumer_key: 9djdj82h48djs9d2
|
||
oauth_token: kkk9d7dh3k39sjv7
|
||
oauth_signature_method: HMAC-SHA1
|
||
oauth_timestamp: 137131201
|
||
oauth_nonce: 7d8f3e4a
|
||
|
||
The client adds the protocol parameters to the request using the
|
||
OAuth HTTP "Authorization" header field:
|
||
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="9djdj82h48djs9d2",
|
||
oauth_token="kkk9d7dh3k39sjv7",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131201",
|
||
oauth_nonce="7d8f3e4a"
|
||
|
||
Then, it calculates the value of the "oauth_signature" parameter
|
||
(using client secret "j49sk3j29djd" and token secret "dh893hdasih9"),
|
||
adds it to the request, and sends the HTTP request to the server:
|
||
|
||
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
|
||
Host: example.com
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="9djdj82h48djs9d2",
|
||
oauth_token="kkk9d7dh3k39sjv7",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131201",
|
||
oauth_nonce="7d8f3e4a",
|
||
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
|
||
|
||
c2&a3=2+q
|
||
|
||
3.2. Verifying Requests
|
||
|
||
Servers receiving an authenticated request MUST validate it by:
|
||
|
||
o Recalculating the request signature independently as described in
|
||
Section 3.4 and comparing it to the value received from the client
|
||
via the "oauth_signature" parameter.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 16]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
o If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring
|
||
that the combination of nonce/timestamp/token (if present)
|
||
received from the client has not been used before in a previous
|
||
request (the server MAY reject requests with stale timestamps as
|
||
described in Section 3.3).
|
||
|
||
o If a token is present, verifying the scope and status of the
|
||
client authorization as represented by the token (the server MAY
|
||
choose to restrict token usage to the client to which it was
|
||
issued).
|
||
|
||
o If the "oauth_version" parameter is present, ensuring its value is
|
||
"1.0".
|
||
|
||
If the request fails verification, the server SHOULD respond with the
|
||
appropriate HTTP response status code. The server MAY include
|
||
further details about why the request was rejected in the response
|
||
body.
|
||
|
||
The server SHOULD return a 400 (Bad Request) status code when
|
||
receiving a request with unsupported parameters, an unsupported
|
||
signature method, missing parameters, or duplicated protocol
|
||
parameters. The server SHOULD return a 401 (Unauthorized) status
|
||
code when receiving a request with invalid client credentials, an
|
||
invalid or expired token, an invalid signature, or an invalid or used
|
||
nonce.
|
||
|
||
3.3. Nonce and Timestamp
|
||
|
||
The timestamp value MUST be a positive integer. Unless otherwise
|
||
specified by the server's documentation, the timestamp is expressed
|
||
in the number of seconds since January 1, 1970 00:00:00 GMT.
|
||
|
||
A nonce is a random string, uniquely generated by the client to allow
|
||
the server to verify that a request has never been made before and
|
||
helps prevent replay attacks when requests are made over a non-secure
|
||
channel. The nonce value MUST be unique across all requests with the
|
||
same timestamp, client credentials, and token combinations.
|
||
|
||
To avoid the need to retain an infinite number of nonce values for
|
||
future checks, servers MAY choose to restrict the time period after
|
||
which a request with an old timestamp is rejected. Note that this
|
||
restriction implies a level of synchronization between the client's
|
||
and server's clocks. Servers applying such a restriction MAY provide
|
||
a way for the client to sync with the server's clock; alternatively,
|
||
both systems could synchronize with a trusted time service. Details
|
||
of clock synchronization strategies are beyond the scope of this
|
||
specification.
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 17]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3.4. Signature
|
||
|
||
OAuth-authenticated requests can have two sets of credentials: those
|
||
passed via the "oauth_consumer_key" parameter and those in the
|
||
"oauth_token" parameter. In order for the server to verify the
|
||
authenticity of the request and prevent unauthorized access, the
|
||
client needs to prove that it is the rightful owner of the
|
||
credentials. This is accomplished using the shared-secret (or RSA
|
||
key) part of each set of credentials.
|
||
|
||
OAuth provides three methods for the client to prove its rightful
|
||
ownership of the credentials: "HMAC-SHA1", "RSA-SHA1", and
|
||
"PLAINTEXT". These methods are generally referred to as signature
|
||
methods, even though "PLAINTEXT" does not involve a signature. In
|
||
addition, "RSA-SHA1" utilizes an RSA key instead of the shared-
|
||
secrets associated with the client credentials.
|
||
|
||
OAuth does not mandate a particular signature method, as each
|
||
implementation can have its own unique requirements. Servers are
|
||
free to implement and document their own custom methods.
|
||
Recommending any particular method is beyond the scope of this
|
||
specification. Implementers should review the Security
|
||
Considerations section (Section 4) before deciding on which method to
|
||
support.
|
||
|
||
The client declares which signature method is used via the
|
||
"oauth_signature_method" parameter. It then generates a signature
|
||
(or a string of an equivalent value) and includes it in the
|
||
"oauth_signature" parameter. The server verifies the signature as
|
||
specified for each method.
|
||
|
||
The signature process does not change the request or its parameters,
|
||
with the exception of the "oauth_signature" parameter.
|
||
|
||
3.4.1. Signature Base String
|
||
|
||
The signature base string is a consistent, reproducible concatenation
|
||
of several of the HTTP request elements into a single string. The
|
||
string is used as an input to the "HMAC-SHA1" and "RSA-SHA1"
|
||
signature methods.
|
||
|
||
The signature base string includes the following components of the
|
||
HTTP request:
|
||
|
||
o The HTTP request method (e.g., "GET", "POST", etc.).
|
||
|
||
o The authority as declared by the HTTP "Host" request header field.
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 18]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
o The path and query components of the request resource URI.
|
||
|
||
o The protocol parameters excluding the "oauth_signature".
|
||
|
||
o Parameters included in the request entity-body if they comply with
|
||
the strict restrictions defined in Section 3.4.1.3.
|
||
|
||
The signature base string does not cover the entire HTTP request.
|
||
Most notably, it does not include the entity-body in most requests,
|
||
nor does it include most HTTP entity-headers. It is important to
|
||
note that the server cannot verify the authenticity of the excluded
|
||
request components without using additional protections such as SSL/
|
||
TLS or other methods.
|
||
|
||
3.4.1.1. String Construction
|
||
|
||
The signature base string is constructed by concatenating together,
|
||
in order, the following HTTP request elements:
|
||
|
||
1. The HTTP request method in uppercase. For example: "HEAD",
|
||
"GET", "POST", etc. If the request uses a custom HTTP method, it
|
||
MUST be encoded (Section 3.6).
|
||
|
||
2. An "&" character (ASCII code 38).
|
||
|
||
3. The base string URI from Section 3.4.1.2, after being encoded
|
||
(Section 3.6).
|
||
|
||
4. An "&" character (ASCII code 38).
|
||
|
||
5. The request parameters as normalized in Section 3.4.1.3.2, after
|
||
being encoded (Section 3.6).
|
||
|
||
For example, the HTTP request:
|
||
|
||
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
|
||
Host: example.com
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="9djdj82h48djs9d2",
|
||
oauth_token="kkk9d7dh3k39sjv7",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131201",
|
||
oauth_nonce="7d8f3e4a",
|
||
oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D"
|
||
|
||
c2&a3=2+q
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 19]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
is represented by the following signature base string (line breaks
|
||
are for display purposes only):
|
||
|
||
POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q
|
||
%26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_
|
||
key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m
|
||
ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk
|
||
9d7dh3k39sjv7
|
||
|
||
3.4.1.2. Base String URI
|
||
|
||
The scheme, authority, and path of the request resource URI [RFC3986]
|
||
are included by constructing an "http" or "https" URI representing
|
||
the request resource (without the query or fragment) as follows:
|
||
|
||
1. The scheme and host MUST be in lowercase.
|
||
|
||
2. The host and port values MUST match the content of the HTTP
|
||
request "Host" header field.
|
||
|
||
3. The port MUST be included if it is not the default port for the
|
||
scheme, and MUST be excluded if it is the default. Specifically,
|
||
the port MUST be excluded when making an HTTP request [RFC2616]
|
||
to port 80 or when making an HTTPS request [RFC2818] to port 443.
|
||
All other non-default port numbers MUST be included.
|
||
|
||
For example, the HTTP request:
|
||
|
||
GET /r%20v/X?id=123 HTTP/1.1
|
||
Host: EXAMPLE.COM:80
|
||
|
||
is represented by the base string URI: "http://example.com/r%20v/X".
|
||
|
||
In another example, the HTTPS request:
|
||
|
||
GET /?q=1 HTTP/1.1
|
||
Host: www.example.net:8080
|
||
|
||
is represented by the base string URI:
|
||
"https://www.example.net:8080/".
|
||
|
||
3.4.1.3. Request Parameters
|
||
|
||
In order to guarantee a consistent and reproducible representation of
|
||
the request parameters, the parameters are collected and decoded to
|
||
their original decoded form. They are then sorted and encoded in a
|
||
particular manner that is often different from their original
|
||
encoding scheme, and concatenated into a single string.
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 20]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3.4.1.3.1. Parameter Sources
|
||
|
||
The parameters from the following sources are collected into a single
|
||
list of name/value pairs:
|
||
|
||
o The query component of the HTTP request URI as defined by
|
||
[RFC3986], Section 3.4. The query component is parsed into a list
|
||
of name/value pairs by treating it as an
|
||
"application/x-www-form-urlencoded" string, separating the names
|
||
and values and decoding them as defined by
|
||
[W3C.REC-html40-19980424], Section 17.13.4.
|
||
|
||
o The OAuth HTTP "Authorization" header field (Section 3.5.1) if
|
||
present. The header's content is parsed into a list of name/value
|
||
pairs excluding the "realm" parameter if present. The parameter
|
||
values are decoded as defined by Section 3.5.1.
|
||
|
||
o The HTTP request entity-body, but only if all of the following
|
||
conditions are met:
|
||
|
||
* The entity-body is single-part.
|
||
|
||
* The entity-body follows the encoding requirements of the
|
||
"application/x-www-form-urlencoded" content-type as defined by
|
||
[W3C.REC-html40-19980424].
|
||
|
||
* The HTTP request entity-header includes the "Content-Type"
|
||
header field set to "application/x-www-form-urlencoded".
|
||
|
||
The entity-body is parsed into a list of decoded name/value pairs
|
||
as described in [W3C.REC-html40-19980424], Section 17.13.4.
|
||
|
||
The "oauth_signature" parameter MUST be excluded from the signature
|
||
base string if present. Parameters not explicitly included in the
|
||
request MUST be excluded from the signature base string (e.g., the
|
||
"oauth_version" parameter when omitted).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 21]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
For example, the HTTP request:
|
||
|
||
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1
|
||
Host: example.com
|
||
Content-Type: application/x-www-form-urlencoded
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="9djdj82h48djs9d2",
|
||
oauth_token="kkk9d7dh3k39sjv7",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_timestamp="137131201",
|
||
oauth_nonce="7d8f3e4a",
|
||
oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D"
|
||
|
||
c2&a3=2+q
|
||
|
||
contains the following (fully decoded) parameters used in the
|
||
signature base sting:
|
||
|
||
+------------------------+------------------+
|
||
| Name | Value |
|
||
+------------------------+------------------+
|
||
| b5 | =%3D |
|
||
| a3 | a |
|
||
| c@ | |
|
||
| a2 | r b |
|
||
| oauth_consumer_key | 9djdj82h48djs9d2 |
|
||
| oauth_token | kkk9d7dh3k39sjv7 |
|
||
| oauth_signature_method | HMAC-SHA1 |
|
||
| oauth_timestamp | 137131201 |
|
||
| oauth_nonce | 7d8f3e4a |
|
||
| c2 | |
|
||
| a3 | 2 q |
|
||
+------------------------+------------------+
|
||
|
||
Note that the value of "b5" is "=%3D" and not "==". Both "c@" and
|
||
"c2" have empty values. While the encoding rules specified in this
|
||
specification for the purpose of constructing the signature base
|
||
string exclude the use of a "+" character (ASCII code 43) to
|
||
represent an encoded space character (ASCII code 32), this practice
|
||
is widely used in "application/x-www-form-urlencoded" encoded values,
|
||
and MUST be properly decoded, as demonstrated by one of the "a3"
|
||
parameter instances (the "a3" parameter is used twice in this
|
||
request).
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 22]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3.4.1.3.2. Parameters Normalization
|
||
|
||
The parameters collected in Section 3.4.1.3 are normalized into a
|
||
single string as follows:
|
||
|
||
1. First, the name and value of each parameter are encoded
|
||
(Section 3.6).
|
||
|
||
2. The parameters are sorted by name, using ascending byte value
|
||
ordering. If two or more parameters share the same name, they
|
||
are sorted by their value.
|
||
|
||
3. The name of each parameter is concatenated to its corresponding
|
||
value using an "=" character (ASCII code 61) as a separator, even
|
||
if the value is empty.
|
||
|
||
4. The sorted name/value pairs are concatenated together into a
|
||
single string by using an "&" character (ASCII code 38) as
|
||
separator.
|
||
|
||
For example, the list of parameters from the previous section would
|
||
be normalized as follows:
|
||
|
||
Encoded:
|
||
|
||
+------------------------+------------------+
|
||
| Name | Value |
|
||
+------------------------+------------------+
|
||
| b5 | %3D%253D |
|
||
| a3 | a |
|
||
| c%40 | |
|
||
| a2 | r%20b |
|
||
| oauth_consumer_key | 9djdj82h48djs9d2 |
|
||
| oauth_token | kkk9d7dh3k39sjv7 |
|
||
| oauth_signature_method | HMAC-SHA1 |
|
||
| oauth_timestamp | 137131201 |
|
||
| oauth_nonce | 7d8f3e4a |
|
||
| c2 | |
|
||
| a3 | 2%20q |
|
||
+------------------------+------------------+
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 23]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
Sorted:
|
||
|
||
+------------------------+------------------+
|
||
| Name | Value |
|
||
+------------------------+------------------+
|
||
| a2 | r%20b |
|
||
| a3 | 2%20q |
|
||
| a3 | a |
|
||
| b5 | %3D%253D |
|
||
| c%40 | |
|
||
| c2 | |
|
||
| oauth_consumer_key | 9djdj82h48djs9d2 |
|
||
| oauth_nonce | 7d8f3e4a |
|
||
| oauth_signature_method | HMAC-SHA1 |
|
||
| oauth_timestamp | 137131201 |
|
||
| oauth_token | kkk9d7dh3k39sjv7 |
|
||
+------------------------+------------------+
|
||
|
||
Concatenated Pairs:
|
||
|
||
+-------------------------------------+
|
||
| Name=Value |
|
||
+-------------------------------------+
|
||
| a2=r%20b |
|
||
| a3=2%20q |
|
||
| a3=a |
|
||
| b5=%3D%253D |
|
||
| c%40= |
|
||
| c2= |
|
||
| oauth_consumer_key=9djdj82h48djs9d2 |
|
||
| oauth_nonce=7d8f3e4a |
|
||
| oauth_signature_method=HMAC-SHA1 |
|
||
| oauth_timestamp=137131201 |
|
||
| oauth_token=kkk9d7dh3k39sjv7 |
|
||
+-------------------------------------+
|
||
|
||
and concatenated together into a single string (line breaks are for
|
||
display purposes only):
|
||
|
||
a2=r%20b&a3=2%20q&a3=a&b5=%3D%253D&c%40=&c2=&oauth_consumer_key=9dj
|
||
dj82h48djs9d2&oauth_nonce=7d8f3e4a&oauth_signature_method=HMAC-SHA1
|
||
&oauth_timestamp=137131201&oauth_token=kkk9d7dh3k39sjv7
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 24]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3.4.2. HMAC-SHA1
|
||
|
||
The "HMAC-SHA1" signature method uses the HMAC-SHA1 signature
|
||
algorithm as defined in [RFC2104]:
|
||
|
||
digest = HMAC-SHA1 (key, text)
|
||
|
||
The HMAC-SHA1 function variables are used in following way:
|
||
|
||
text is set to the value of the signature base string from
|
||
Section 3.4.1.1.
|
||
|
||
key is set to the concatenated values of:
|
||
|
||
1. The client shared-secret, after being encoded
|
||
(Section 3.6).
|
||
|
||
2. An "&" character (ASCII code 38), which MUST be included
|
||
even when either secret is empty.
|
||
|
||
3. The token shared-secret, after being encoded
|
||
(Section 3.6).
|
||
|
||
digest is used to set the value of the "oauth_signature" protocol
|
||
parameter, after the result octet string is base64-encoded
|
||
per [RFC2045], Section 6.8.
|
||
|
||
3.4.3. RSA-SHA1
|
||
|
||
The "RSA-SHA1" signature method uses the RSASSA-PKCS1-v1_5 signature
|
||
algorithm as defined in [RFC3447], Section 8.2 (also known as
|
||
PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5. To
|
||
use this method, the client MUST have established client credentials
|
||
with the server that included its RSA public key (in a manner that is
|
||
beyond the scope of this specification).
|
||
|
||
The signature base string is signed using the client's RSA private
|
||
key per [RFC3447], Section 8.2.1:
|
||
|
||
S = RSASSA-PKCS1-V1_5-SIGN (K, M)
|
||
|
||
Where:
|
||
|
||
K is set to the client's RSA private key,
|
||
|
||
M is set to the value of the signature base string from
|
||
Section 3.4.1.1, and
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 25]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
S is the result signature used to set the value of the
|
||
"oauth_signature" protocol parameter, after the result octet
|
||
string is base64-encoded per [RFC2045] section 6.8.
|
||
|
||
The server verifies the signature per [RFC3447] section 8.2.2:
|
||
|
||
RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S)
|
||
|
||
Where:
|
||
|
||
(n, e) is set to the client's RSA public key,
|
||
|
||
M is set to the value of the signature base string from
|
||
Section 3.4.1.1, and
|
||
|
||
S is set to the octet string value of the "oauth_signature"
|
||
protocol parameter received from the client.
|
||
|
||
3.4.4. PLAINTEXT
|
||
|
||
The "PLAINTEXT" method does not employ a signature algorithm. It
|
||
MUST be used with a transport-layer mechanism such as TLS or SSL (or
|
||
sent over a secure channel with equivalent protections). It does not
|
||
utilize the signature base string or the "oauth_timestamp" and
|
||
"oauth_nonce" parameters.
|
||
|
||
The "oauth_signature" protocol parameter is set to the concatenated
|
||
value of:
|
||
|
||
1. The client shared-secret, after being encoded (Section 3.6).
|
||
|
||
2. An "&" character (ASCII code 38), which MUST be included even
|
||
when either secret is empty.
|
||
|
||
3. The token shared-secret, after being encoded (Section 3.6).
|
||
|
||
3.5. Parameter Transmission
|
||
|
||
When making an OAuth-authenticated request, protocol parameters as
|
||
well as any other parameter using the "oauth_" prefix SHALL be
|
||
included in the request using one and only one of the following
|
||
locations, listed in order of decreasing preference:
|
||
|
||
1. The HTTP "Authorization" header field as described in
|
||
Section 3.5.1.
|
||
|
||
2. The HTTP request entity-body as described in Section 3.5.2.
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 26]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3. The HTTP request URI query as described in Section 3.5.3.
|
||
|
||
In addition to these three methods, future extensions MAY define
|
||
other methods for including protocol parameters in the request.
|
||
|
||
3.5.1. Authorization Header
|
||
|
||
Protocol parameters can be transmitted using the HTTP "Authorization"
|
||
header field as defined by [RFC2617] with the auth-scheme name set to
|
||
"OAuth" (case insensitive).
|
||
|
||
For example:
|
||
|
||
Authorization: OAuth realm="Example",
|
||
oauth_consumer_key="0685bd9184jfhq22",
|
||
oauth_token="ad180jjd733klru7",
|
||
oauth_signature_method="HMAC-SHA1",
|
||
oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
|
||
oauth_timestamp="137131200",
|
||
oauth_nonce="4572616e48616d6d65724c61686176",
|
||
oauth_version="1.0"
|
||
|
||
Protocol parameters SHALL be included in the "Authorization" header
|
||
field as follows:
|
||
|
||
1. Parameter names and values are encoded per Parameter Encoding
|
||
(Section 3.6).
|
||
|
||
2. Each parameter's name is immediately followed by an "=" character
|
||
(ASCII code 61), a """ character (ASCII code 34), the parameter
|
||
value (MAY be empty), and another """ character (ASCII code 34).
|
||
|
||
3. Parameters are separated by a "," character (ASCII code 44) and
|
||
OPTIONAL linear whitespace per [RFC2617].
|
||
|
||
4. The OPTIONAL "realm" parameter MAY be added and interpreted per
|
||
[RFC2617] section 1.2.
|
||
|
||
Servers MAY indicate their support for the "OAuth" auth-scheme by
|
||
returning the HTTP "WWW-Authenticate" response header field upon
|
||
client requests for protected resources. As per [RFC2617], such a
|
||
response MAY include additional HTTP "WWW-Authenticate" header
|
||
fields:
|
||
|
||
For example:
|
||
|
||
WWW-Authenticate: OAuth realm="http://server.example.com/"
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 27]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
The realm parameter defines a protection realm per [RFC2617], Section
|
||
1.2.
|
||
|
||
3.5.2. Form-Encoded Body
|
||
|
||
Protocol parameters can be transmitted in the HTTP request entity-
|
||
body, but only if the following REQUIRED conditions are met:
|
||
|
||
o The entity-body is single-part.
|
||
|
||
o The entity-body follows the encoding requirements of the
|
||
"application/x-www-form-urlencoded" content-type as defined by
|
||
[W3C.REC-html40-19980424].
|
||
|
||
o The HTTP request entity-header includes the "Content-Type" header
|
||
field set to "application/x-www-form-urlencoded".
|
||
|
||
For example (line breaks are for display purposes only):
|
||
|
||
oauth_consumer_key=0685bd9184jfhq22&oauth_token=ad180jjd733klr
|
||
u7&oauth_signature_method=HMAC-SHA1&oauth_signature=wOJIO9A2W5
|
||
mFwDgiDvZbTSMK%2FPY%3D&oauth_timestamp=137131200&oauth_nonce=4
|
||
572616e48616d6d65724c61686176&oauth_version=1.0
|
||
|
||
The entity-body MAY include other request-specific parameters, in
|
||
which case, the protocol parameters SHOULD be appended following the
|
||
request-specific parameters, properly separated by an "&" character
|
||
(ASCII code 38).
|
||
|
||
3.5.3. Request URI Query
|
||
|
||
Protocol parameters can be transmitted by being added to the HTTP
|
||
request URI as a query parameter as defined by [RFC3986], Section 3.
|
||
|
||
For example (line breaks are for display purposes only):
|
||
|
||
GET /example/path?oauth_consumer_key=0685bd9184jfhq22&
|
||
oauth_token=ad180jjd733klru7&oauth_signature_method=HM
|
||
AC-SHA1&oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%
|
||
3D&oauth_timestamp=137131200&oauth_nonce=4572616e48616
|
||
d6d65724c61686176&oauth_version=1.0 HTTP/1.1
|
||
|
||
The request URI MAY include other request-specific query parameters,
|
||
in which case, the protocol parameters SHOULD be appended following
|
||
the request-specific parameters, properly separated by an "&"
|
||
character (ASCII code 38).
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 28]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
3.6. Percent Encoding
|
||
|
||
Existing percent-encoding methods do not guarantee a consistent
|
||
construction of the signature base string. The following percent-
|
||
encoding method is not defined to replace the existing encoding
|
||
methods defined by [RFC3986] and [W3C.REC-html40-19980424]. It is
|
||
used only in the construction of the signature base string and the
|
||
"Authorization" header field.
|
||
|
||
This specification defines the following method for percent-encoding
|
||
strings:
|
||
|
||
1. Text values are first encoded as UTF-8 octets per [RFC3629] if
|
||
they are not already. This does not include binary values that
|
||
are not intended for human consumption.
|
||
|
||
2. The values are then escaped using the [RFC3986] percent-encoding
|
||
(%XX) mechanism as follows:
|
||
|
||
* Characters in the unreserved character set as defined by
|
||
[RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST
|
||
NOT be encoded.
|
||
|
||
* All other characters MUST be encoded.
|
||
|
||
* The two hexadecimal characters used to represent encoded
|
||
characters MUST be uppercase.
|
||
|
||
This method is different from the encoding scheme used by the
|
||
"application/x-www-form-urlencoded" content-type (for example, it
|
||
encodes space characters as "%20" and not using the "+" character).
|
||
It MAY be different from the percent-encoding functions provided by
|
||
web-development frameworks (e.g., encode different characters, use
|
||
lowercase hexadecimal characters).
|
||
|
||
4. Security Considerations
|
||
|
||
As stated in [RFC2617], the greatest sources of risks are usually
|
||
found not in the core protocol itself but in policies and procedures
|
||
surrounding its use. Implementers are strongly encouraged to assess
|
||
how this protocol addresses their security requirements.
|
||
|
||
4.1. RSA-SHA1 Signature Method
|
||
|
||
Authenticated requests made with "RSA-SHA1" signatures do not use the
|
||
token shared-secret, or any provisioned client shared-secret. This
|
||
means the request relies completely on the secrecy of the private key
|
||
used by the client to sign requests.
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 29]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
4.2. Confidentiality of Requests
|
||
|
||
While this protocol provides a mechanism for verifying the integrity
|
||
of requests, it provides no guarantee of request confidentiality.
|
||
Unless further precautions are taken, eavesdroppers will have full
|
||
access to request content. Servers should carefully consider the
|
||
kinds of data likely to be sent as part of such requests, and should
|
||
employ transport-layer security mechanisms to protect sensitive
|
||
resources.
|
||
|
||
4.3. Spoofing by Counterfeit Servers
|
||
|
||
This protocol makes no attempt to verify the authenticity of the
|
||
server. A hostile party could take advantage of this by intercepting
|
||
the client's requests and returning misleading or otherwise incorrect
|
||
responses. Service providers should consider such attacks when
|
||
developing services using this protocol, and should require
|
||
transport-layer security for any requests where the authenticity of
|
||
the server or of request responses is an issue.
|
||
|
||
4.4. Proxying and Caching of Authenticated Content
|
||
|
||
The HTTP Authorization scheme (Section 3.5.1) is optional. However,
|
||
[RFC2616] relies on the "Authorization" and "WWW-Authenticate" header
|
||
fields to distinguish authenticated content so that it can be
|
||
protected. Proxies and caches, in particular, may fail to adequately
|
||
protect requests not using these header fields.
|
||
|
||
For example, private authenticated content may be stored in (and thus
|
||
retrievable from) publicly accessible caches. Servers not using the
|
||
HTTP "Authorization" header field should take care to use other
|
||
mechanisms, such as the "Cache-Control" header field, to ensure that
|
||
authenticated content is protected.
|
||
|
||
4.5. Plaintext Storage of Credentials
|
||
|
||
The client shared-secret and token shared-secret function the same
|
||
way passwords do in traditional authentication systems. In order to
|
||
compute the signatures used in methods other than "RSA-SHA1", the
|
||
server must have access to these secrets in plaintext form. This is
|
||
in contrast, for example, to modern operating systems, which store
|
||
only a one-way hash of user credentials.
|
||
|
||
If an attacker were to gain access to these secrets -- or worse, to
|
||
the server's database of all such secrets -- he or she would be able
|
||
to perform any action on behalf of any resource owner. Accordingly,
|
||
it is critical that servers protect these secrets from unauthorized
|
||
access.
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 30]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
4.6. Secrecy of the Client Credentials
|
||
|
||
In many cases, the client application will be under the control of
|
||
potentially untrusted parties. For example, if the client is a
|
||
desktop application with freely available source code or an
|
||
executable binary, an attacker may be able to download a copy for
|
||
analysis. In such cases, attackers will be able to recover the
|
||
client credentials.
|
||
|
||
Accordingly, servers should not use the client credentials alone to
|
||
verify the identity of the client. Where possible, other factors
|
||
such as IP address should be used as well.
|
||
|
||
4.7. Phishing Attacks
|
||
|
||
Wide deployment of this and similar protocols may cause resource
|
||
owners to become inured to the practice of being redirected to
|
||
websites where they are asked to enter their passwords. If resource
|
||
owners are not careful to verify the authenticity of these websites
|
||
before entering their credentials, it will be possible for attackers
|
||
to exploit this practice to steal resource owners' passwords.
|
||
|
||
Servers should attempt to educate resource owners about the risks
|
||
phishing attacks pose, and should provide mechanisms that make it
|
||
easy for resource owners to confirm the authenticity of their sites.
|
||
Client developers should consider the security implications of how
|
||
they interact with a user-agent (e.g., separate window, embedded),
|
||
and the ability of the end-user to verify the authenticity of the
|
||
server website.
|
||
|
||
4.8. Scoping of Access Requests
|
||
|
||
By itself, this protocol does not provide any method for scoping the
|
||
access rights granted to a client. However, most applications do
|
||
require greater granularity of access rights. For example, servers
|
||
may wish to make it possible to grant access to some protected
|
||
resources but not others, or to grant only limited access (such as
|
||
read-only access) to those protected resources.
|
||
|
||
When implementing this protocol, servers should consider the types of
|
||
access resource owners may wish to grant clients, and should provide
|
||
mechanisms to do so. Servers should also take care to ensure that
|
||
resource owners understand the access they are granting, as well as
|
||
any risks that may be involved.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 31]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
4.9. Entropy of Secrets
|
||
|
||
Unless a transport-layer security protocol is used, eavesdroppers
|
||
will have full access to authenticated requests and signatures, and
|
||
will thus be able to mount offline brute-force attacks to recover the
|
||
credentials used. Servers should be careful to assign shared-secrets
|
||
that are long enough, and random enough, to resist such attacks for
|
||
at least the length of time that the shared-secrets are valid.
|
||
|
||
For example, if shared-secrets are valid for two weeks, servers
|
||
should ensure that it is not possible to mount a brute force attack
|
||
that recovers the shared-secret in less than two weeks. Of course,
|
||
servers are urged to err on the side of caution, and use the longest
|
||
secrets reasonable.
|
||
|
||
It is equally important that the pseudo-random number generator
|
||
(PRNG) used to generate these secrets be of sufficiently high
|
||
quality. Many PRNG implementations generate number sequences that
|
||
may appear to be random, but that nevertheless exhibit patterns or
|
||
other weaknesses that make cryptanalysis or brute force attacks
|
||
easier. Implementers should be careful to use cryptographically
|
||
secure PRNGs to avoid these problems.
|
||
|
||
4.10. Denial-of-Service / Resource-Exhaustion Attacks
|
||
|
||
This specification includes a number of features that may make
|
||
resource exhaustion attacks against servers possible. For example,
|
||
this protocol requires servers to track used nonces. If an attacker
|
||
is able to use many nonces quickly, the resources required to track
|
||
them may exhaust available capacity. And again, this protocol can
|
||
require servers to perform potentially expensive computations in
|
||
order to verify the signature on incoming requests. An attacker may
|
||
exploit this to perform a denial-of-service attack by sending a large
|
||
number of invalid requests to the server.
|
||
|
||
Resource Exhaustion attacks are by no means specific to this
|
||
specification. However, implementers should be careful to consider
|
||
the additional avenues of attack that this protocol exposes, and
|
||
design their implementations accordingly. For example, entropy
|
||
starvation typically results in either a complete denial of service
|
||
while the system waits for new entropy or else in weak (easily
|
||
guessable) secrets. When implementing this protocol, servers should
|
||
consider which of these presents a more serious risk for their
|
||
application and design accordingly.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 32]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
4.11. SHA-1 Cryptographic Attacks
|
||
|
||
SHA-1, the hash algorithm used in "HMAC-SHA1" and "RSA-SHA1"
|
||
signature methods, has been shown to have a number of cryptographic
|
||
weaknesses that significantly reduce its resistance to collision
|
||
attacks. While these weaknesses do not seem to affect the use of
|
||
SHA-1 with the Hash-based Message Authentication Code (HMAC) and
|
||
should not affect the "HMAC-SHA1" signature method, it may affect the
|
||
use of the "RSA-SHA1" signature method. NIST has announced that it
|
||
will phase out use of SHA-1 in digital signatures by 2010
|
||
[NIST_SHA-1Comments].
|
||
|
||
Practically speaking, these weaknesses are difficult to exploit, and
|
||
by themselves do not pose a significant risk to users of this
|
||
protocol. They may, however, make more efficient attacks possible,
|
||
and servers should take this into account when considering whether
|
||
SHA-1 provides an adequate level of security for their applications.
|
||
|
||
4.12. Signature Base String Limitations
|
||
|
||
The signature base string has been designed to support the signature
|
||
methods defined in this specification. Those designing additional
|
||
signature methods, should evaluated the compatibility of the
|
||
signature base string with their security requirements.
|
||
|
||
Since the signature base string does not cover the entire HTTP
|
||
request, such as most request entity-body, most entity-headers, and
|
||
the order in which parameters are sent, servers should employ
|
||
additional mechanisms to protect such elements.
|
||
|
||
4.13. Cross-Site Request Forgery (CSRF)
|
||
|
||
Cross-Site Request Forgery (CSRF) is a web-based attack whereby HTTP
|
||
requests are transmitted from a user that the website trusts or has
|
||
authenticated. CSRF attacks on authorization approvals can allow an
|
||
attacker to obtain authorization to protected resources without the
|
||
consent of the User. Servers SHOULD strongly consider best practices
|
||
in CSRF prevention at all the protocol authorization endpoints.
|
||
|
||
CSRF attacks on OAuth callback URIs hosted by clients are also
|
||
possible. Clients should prevent CSRF attacks on OAuth callback URIs
|
||
by verifying that the resource owner at the client site intended to
|
||
complete the OAuth negotiation with the server. The methods for
|
||
preventing such CSRF attacks are beyond the scope of this
|
||
specification.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 33]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
4.14. User Interface Redress
|
||
|
||
Servers should protect the authorization process against user
|
||
interface (UI) redress attacks (also known as "clickjacking"). As of
|
||
the time of this writing, no complete defenses against UI redress are
|
||
available. Servers can mitigate the risk of UI redress attacks using
|
||
the following techniques:
|
||
|
||
o JavaScript frame busting.
|
||
|
||
o JavaScript frame busting, and requiring that browsers have
|
||
JavaScript enabled on the authorization page.
|
||
|
||
o Browser-specific anti-framing techniques.
|
||
|
||
o Requiring password reentry before issuing OAuth tokens.
|
||
|
||
4.15. Automatic Processing of Repeat Authorizations
|
||
|
||
Servers may wish to automatically process authorization requests
|
||
(Section 2.2) from clients that have been previously authorized by
|
||
the resource owner. When the resource owner is redirected to the
|
||
server to grant access, the server detects that the resource owner
|
||
has already granted access to that particular client. Instead of
|
||
prompting the resource owner for approval, the server automatically
|
||
redirects the resource owner back to the client.
|
||
|
||
If the client credentials are compromised, automatic processing
|
||
creates additional security risks. An attacker can use the stolen
|
||
client credentials to redirect the resource owner to the server with
|
||
an authorization request. The server will then grant access to the
|
||
resource owner's data without the resource owner's explicit approval,
|
||
or even awareness of an attack. If no automatic approval is
|
||
implemented, an attacker must use social engineering to convince the
|
||
resource owner to approve access.
|
||
|
||
Servers can mitigate the risks associated with automatic processing
|
||
by limiting the scope of token credentials obtained through automated
|
||
approvals. Tokens credentials obtained through explicit resource
|
||
owner consent can remain unaffected. Clients can mitigate the risks
|
||
associated with automatic processing by protecting their client
|
||
credentials.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 34]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
5. Acknowledgments
|
||
|
||
This specification is directly based on the OAuth Core 1.0 Revision A
|
||
community specification, which in turn was modeled after existing
|
||
proprietary protocols and best practices that have been independently
|
||
implemented by various companies.
|
||
|
||
The community specification was edited by Eran Hammer-Lahav and
|
||
authored by: Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M.
|
||
Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton,
|
||
Kellan Elliott-McCrea, Larry Halff, Eran Hammer-Lahav, Ben Laurie,
|
||
Chris Messina, John Panzer, Sam Quigley, David Recordon, Eran
|
||
Sandler, Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy
|
||
Smith.
|
||
|
||
The editor would like to thank the following individuals for their
|
||
invaluable contribution to the publication of this edition of the
|
||
protocol: Lisa Dusseault, Justin Hart, Avshalom Houri, Chris Messina,
|
||
Mark Nottingham, Tim Polk, Peter Saint-Andre, Joseph Smarr, and Paul
|
||
Walker.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 35]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
Appendix A. Differences from the Community Edition
|
||
|
||
This specification includes the following changes made to the
|
||
original community document [OAuthCore1.0_RevisionA] in order to
|
||
correct mistakes and omissions identified since the document was
|
||
originally published at <http://oauth.net>.
|
||
|
||
o Changed using TLS/SSL when sending or requesting plain text
|
||
credentials from SHOULD to MUST. This change affects any use of
|
||
the "PLAINTEXT" signature method, as well as requesting temporary
|
||
credentials (Section 2.1) and obtaining token credentials
|
||
(Section 2.3).
|
||
|
||
o Adjusted nonce language to indicate it is unique per token/
|
||
timestamp/client combination.
|
||
|
||
o Removed the requirement for timestamps to be equal to or greater
|
||
than the timestamp used in the previous request.
|
||
|
||
o Changed the nonce and timestamp parameters to OPTIONAL when using
|
||
the "PLAINTEXT" signature method.
|
||
|
||
o Extended signature base string coverage that includes
|
||
"application/x-www-form-urlencoded" entity-body parameters when
|
||
the HTTP method used is other than "POST" and URI query parameters
|
||
when the HTTP method used is other than "GET".
|
||
|
||
o Incorporated corrections to the instructions in each signature
|
||
method to encode the signature value before inserting it into the
|
||
"oauth_signature" parameter, removing errors that would have
|
||
caused double-encoded values.
|
||
|
||
o Allowed omitting the "oauth_token" parameter when empty.
|
||
|
||
o Permitted sending requests for temporary credentials with an empty
|
||
"oauth_token" parameter.
|
||
|
||
o Removed the restrictions from defining additional "oauth_"
|
||
parameters.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 36]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
6. References
|
||
|
||
6.1. Normative References
|
||
|
||
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
|
||
Extensions (MIME) Part One: Format of Internet Message
|
||
Bodies", RFC 2045, November 1996.
|
||
|
||
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
|
||
Hashing for Message Authentication", RFC 2104,
|
||
February 1997.
|
||
|
||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||
Requirement Levels", BCP 14, RFC 2119, March 1997.
|
||
|
||
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
|
||
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
|
||
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
|
||
|
||
[RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S.,
|
||
Leach, P., Luotonen, A., and L. Stewart, "HTTP
|
||
Authentication: Basic and Digest Access Authentication",
|
||
RFC 2617, June 1999.
|
||
|
||
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
|
||
|
||
[RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography
|
||
Standards (PKCS) #1: RSA Cryptography Specifications
|
||
Version 2.1", RFC 3447, February 2003.
|
||
|
||
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
|
||
10646", STD 63, RFC 3629, November 2003.
|
||
|
||
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
|
||
Resource Identifier (URI): Generic Syntax", STD 66,
|
||
RFC 3986, January 2005.
|
||
|
||
[W3C.REC-html40-19980424]
|
||
Hors, A., Raggett, D., and I. Jacobs, "HTML 4.0
|
||
Specification", World Wide Web Consortium
|
||
Recommendation REC-html40-19980424, April 1998,
|
||
<http://www.w3.org/TR/1998/REC-html40-19980424>.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 37]
|
||
|
||
RFC 5849 OAuth 1.0 April 2010
|
||
|
||
|
||
6.2. Informative References
|
||
|
||
[NIST_SHA-1Comments]
|
||
Burr, W., "NIST Comments on Cryptanalytic Attacks on
|
||
SHA-1",
|
||
<http://csrc.nist.gov/groups/ST/hash/statement.html>.
|
||
|
||
[OAuthCore1.0_RevisionA]
|
||
OAuth Community, "OAuth Core 1.0 Revision A",
|
||
<http://oauth.net/core/1.0a>.
|
||
|
||
Author's Address
|
||
|
||
Eran Hammer-Lahav (editor)
|
||
|
||
EMail: eran@hueniverse.com
|
||
URI: http://hueniverse.com
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Hammer-Lahav Informational [Page 38]
|
||
|