際際滷

際際滷Share a Scribd company logo

Calling an OAuth 1.0a API from an OAuth 2.0 API

Travis Spencer
Travis Spencer

The document describes how an OAuth 2.0 protected service can call an OAuth 1.0a protected Twitter API. It involves the service obtaining an access token from Twitter by redirecting the user through Twitter's OAuth 1.0a authorization process. The service then uses the access token to call the Twitter API on behalf of the user. When a third-party OAuth 2.0 client calls the service, it provides an access token issued by the service's OAuth 2.0 authorization server to access the user's Twitter data through the intermediate service.

1 of 16
Calling an OAuth 1.0a Service from an OAuth 2.0-protected Service By Travis Spencer email@travisspencer.com
Basic Rundown You want to call the Twitter API from your own API The Twitter service is an OAuth 1.0a Resource Server (RS) Twitter has an OAuth 1.0a Authorization Server (AS) The Twitter service naturally only trusts it's own AS Your service is an OAuth 2 RS and an OAuth 1.0a Twitter client You have an OAuth 2 AS Your service naturally only trusts your AS The Web app that calls your service is an OAuth 2.0 client and must submit Access Tokens (ATs) emitted by your AS (not Twitter's) when calling your service The Resource Owner (RO) is a Twitter user and will authorize your service to call the Twitter API to modify their data The RO authenticates to your AS using Twitter's OAuth 1.0a AS Your AS asks the RO to authorize a third-party client of your service
User indicates that they would like to grant some Web site access to the resources that your service provides. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
User is redirected to your OAuth 2.0 AS. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your AS gets a Request Token (RT) from Twitters AS by making an authenticated call using your Twitter client key. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your AS redirects the user to Twitter w/ the RT and a digital signature. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
The user authenticates to Twitter if they dont have a session already. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
The user grants your API access to Twitters API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Twitter redirects the user to your ASs callback URL w/ the RT from before. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your AS exchanges the RT for an Access Token (AT) and stores/associates this with the user. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your AS redirects the user with an Access Code (AC) to the callback URL of the third-party consumer of your API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
The client exchanges the AC for a new AT specific to your API by authenticating w/ the client key you gave them. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
The client calls your API with an AT from your AS. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your API looks up the Twitter AT by submitting the one presented to your API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
Your API calls the Twitter API using the previously granted access. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
The Twitter data is used and your API returns the results. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)

More Related Content

Calling an OAuth 1.0a API from an OAuth 2.0 API

  • 1. Calling an OAuth 1.0a Service from an OAuth 2.0-protected Service By Travis Spencer email@travisspencer.com
  • 2. Basic Rundown You want to call the Twitter API from your own API The Twitter service is an OAuth 1.0a Resource Server (RS) Twitter has an OAuth 1.0a Authorization Server (AS) The Twitter service naturally only trusts it's own AS Your service is an OAuth 2 RS and an OAuth 1.0a Twitter client You have an OAuth 2 AS Your service naturally only trusts your AS The Web app that calls your service is an OAuth 2.0 client and must submit Access Tokens (ATs) emitted by your AS (not Twitter's) when calling your service The Resource Owner (RO) is a Twitter user and will authorize your service to call the Twitter API to modify their data The RO authenticates to your AS using Twitter's OAuth 1.0a AS Your AS asks the RO to authorize a third-party client of your service
  • 3. User indicates that they would like to grant some Web site access to the resources that your service provides. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 4. User is redirected to your OAuth 2.0 AS. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 5. Your AS gets a Request Token (RT) from Twitters AS by making an authenticated call using your Twitter client key. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 6. Your AS redirects the user to Twitter w/ the RT and a digital signature. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 7. The user authenticates to Twitter if they dont have a session already. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 8. The user grants your API access to Twitters API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 9. Twitter redirects the user to your ASs callback URL w/ the RT from before. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 10. Your AS exchanges the RT for an Access Token (AT) and stores/associates this with the user. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 11. Your AS redirects the user with an Access Code (AC) to the callback URL of the third-party consumer of your API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 12. The client exchanges the AC for a new AT specific to your API by authenticating w/ the client key you gave them. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 13. The client calls your API with an AT from your AS. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 14. Your API looks up the Twitter AT by submitting the one presented to your API. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 15. Your API calls the Twitter API using the previously granted access. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)
  • 16. The Twitter data is used and your API returns the results. Twitters Twitter User OAuth 1.0a (RO) AS Twitter API Your OAuth (OAuth 1.0a 2.0 AS RS) Third-party Your API Web site (OAuth 2.0 (OAuth 2.0 RS/OAuth Client) 1.0a Client)