Skip to content

Instantly share code, notes, and snippets.

@ben221199

ben221199/oauth1.md

Created March 3, 2024 22:33
Show Gist options
  • Save ben221199/0a1799963e6b7867d73726ca7119b612 to your computer and use it in GitHub Desktop.
Save ben221199/0a1799963e6b7867d73726ca7119b612 to your computer and use it in GitHub Desktop.
Download ZIP
OAuth
Raw
oauth1.md

OAuth 1.0

Versions

Versions as used below.

  • ORG: Original OAuth 1.0 spec
  • REV: The OAuth 1.0 spec with Revision A
  • RFC: The OAuth 1.0 spec as specified in RFC 5849

Rules

The rules are not in order.

  • [OPTIONAL] OAuth Protocol Parameters SHALL only use one parameter source.
    • [ORG] OAuth Protocol Parameters are sent from the Consumer to the Service Provider in one of three methods, in order of decreasing preference: (Section 5.2)
    • [REV] OAuth Protocol Parameters are sent from the Consumer to the Service Provider in one of three methods, in order of decreasing preference: (Section 5.2)
    • [RFC] When making an OAuth-authenticated request, protocol parameters as well as any other parameter using the "oauth_" prefix SHALL be included in the request using one and only one of the following locations, listed in order of decreasing preference: (Section 3.5)
    • (It seems up to the implementor to throw an 400 error when this rule is not met.)
  • [OPTIONAL] If the HTTP Authorization header is present, another parameter source can still be used for OAuth Protocol Parameters.
    • [RFC] The parameters from the following sources are collected into a single list of name/value pairs: (Section 3.4.1.3.1)
    • (There is no rule that the HTTP Authorization header must be used for OAuth Protocol Parameters when present. Only rules are that only one parameter source shall be used for OAuth Protocol Parameters, and that OAuth Protocol Parameters cannot be duplicated. After that everything collected into one array.)
    • (It is up to the implementor to throw an 400 error when the header is present but not used for OAuth Protocol Parameters.)
  • [REQUIRED] There cannot be duplicated OAuth Protocol Parameters.
    • [ORG] HTTP 400 Bad Request / Duplicated OAuth Protocol Parameter (Section 10)
    • [REV] HTTP 400 Bad Request / Duplicated OAuth Protocol Parameter (Section 10)
    • [RFC] The server SHOULD return a 400 (Bad Request) status code when receiving a request with unsupported parameters, an unsupported signature method, missing parameters, or duplicated protocol parameters. The server SHOULD return a 401 (Unauthorized) status code when receiving a request with invalid client credentials, an invalid or expired token, an invalid signature, or an invalid or used nonce. (Section 3.2)
  • [???] The HTTP Authorization header SHOULD NOT be used for other parameters than OAuth Protocol Parameters.
    • [ORG] In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme header. (Section 5.2)
    • [REV] In addition to these defined methods, future extensions may describe alternate methods for sending the OAuth Protocol Parameters. The methods for sending other request parameters are left undefined, but SHOULD NOT use the OAuth HTTP Authorization Scheme header. (Section 5.2)
    • (In the RFC the text other request-specific parameters is seen in section 3.5.2 and section 3.5.3, but not in section 3.5.1 about the Authorization Header.)
    • (It seems not clear if the server should throw an 400 error if this rule is not met.)
  • [REQUIRED] Required protocol parameters should not be missing.
    • [ORG] OAuth Protocol Parameter names and values are case sensitive. Each OAuth Protocol Parameters MUST NOT appear more than once per request, and are REQUIRED unless otherwise noted. (Section 5), HTTP 400 Bad Request / Missing required parameter (Section 10)
    • [REV] OAuth Protocol Parameter names and values are case sensitive. Each OAuth Protocol Parameters MUST NOT appear more than once per request, and are REQUIRED unless otherwise noted. (Section 5), HTTP 400 Bad Request / Missing required parameter (Section 10)
    • [RFC] The server SHOULD return a 400 (Bad Request) status code when receiving a request with unsupported parameters, an unsupported signature method, missing parameters, or duplicated protocol parameters. The server SHOULD return a 401 (Unauthorized) status code when receiving a request with invalid client credentials, an invalid or expired token, an invalid signature, or an invalid or used nonce. (Section 3.2)
  • [REQUIRED] A supported signature method should be used: PLAINTEXT, HMAC-SHA1 or RSA-SHA1 (or custom one).
    • [ORG] HTTP 400 Bad Request / Unsupported signature method (Section 10)
    • [REV] HTTP 400 Bad Request / Unsupported signature method (Section 10)
    • [RFC] The server SHOULD return a 400 (Bad Request) status code when receiving a request with unsupported parameters, an unsupported signature method, missing parameters, or duplicated protocol parameters. The server SHOULD return a 401 (Unauthorized) status code when receiving a request with invalid client credentials, an invalid or expired token, an invalid signature, or an invalid or used nonce. (Section 3.2)
    • (The PLAINTEXT is only possible over HTTPS.)

The 400 error Unsupported parameter seems to be about the parameters, but could be about values too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment