gistfile1.txt

# Updating Ruby OAuth Consumers to 1.0a

In response to April's [OAuth Security Advisory](http://oauth.net/advisories/2009-1), the OAuth community has penned a [new draft of the specification](http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html), titled 1.0a (currently in draft 3).  This makes a number of changes to the flow:

1. providing an `oauth_callback` is now part of the Request Token stage (if the client cannot accept callbacks, the value MUST be _oob_)
2. `oauth_callback_confirmed` MUST be present (and _true_) when the SP issues a Request Token to the client
3. an `oauth_verifier` parameter is provided to the callback URL (or displayed if no callback URL was configured) and MUST be included when exchanging the Request Token for an Access Token

Code that once looked like this:

    request_token = consumer.get_request_token
    puts "Please visit the following URL to authorize this application:"
    puts request_token.authorize_url(:oauth_callback => callback_url)
    # wait for input
    gets
    access_token = request_token.get_access_token

Should now look like this:

    request_token = consumer.get_request_token(:oauth_callback => callback_url)
    puts "Please visit the following URL to authorize this application:"
    puts request_token.authorize_url
    # wait for input
    gets
    # `oauth_verifier` is extracted from the expanded callback URL or was displayed to the user
    access_token = request_token.get_access_token(:oauth_verifier => oauth_verifier)

The changes to the spec are limited to the Request Token <=> Access Token exchange, so once you have an Access Token, everything should behave as it did before.  For this reason, clients that only implement 2-legged OAuth are unaffected.

[Section 11.14. Cross-Site Request Forgery (CSRF)](http://oauth.googlecode.com/svn/spec/core/1.0a/drafts/3/oauth-core-1_0a.html#anchor38) is also worth reading (and understanding) in order to further secure the use of callback URLs.