neraliu's blog internet profession in between hongkong/china and silicon valley (no longer, but the world!)

understanding the credentials of oauth

more and more internet applications are going to mash up together, as a user, sometimes, it is hard to distinguish what data from which and where the data goes after my series of "ok/approve" click on the web, it is really a threat to user privacy (though some people tell me i don't care especially the young kids, but i response them, someday you are getting old!), as a software developer, what you need to know is "oauth" in which it is designed to access user data on the "service provider" on behalf of the user from the "consumer".

digging into the specification of the oauth, you find two credentials in the protocols, which are the consumer key/consumer secret, and token / token secret. for the consumer pair, it is used for identifying the consumer, while the token pair is used to identify the user in the 3-legged authentication process. in this design, you can think of the username / password pair in the normal credential authentication, however, for the token / token secret pair, it is a litle bit different as the design of allowing user to revoke the token without changing the password for the application (service provider part).

whenever being authenticated, there are two type of tokens being generated - which is the "request token" and the "access token", for the request token, it is exposed to the user when redirecting the user to the service provider for authentication, while the access token is limited between the consumer and service provider.

disclaimer: this is not the comprehensive design of the secure protocol, it is simply a blog article in describing security topic.