Obtain Access Token

Once the user has granted access, the application can exchange the request token for an access token. To obtain a request token, the application makes a request to the service providers's access token URL (/oauth/access_token, in the case of Twitter):

POST /oauth/access_token HTTP/1.1
Host: api.twitter.com
Authorization: OAuth oauth_consumer_key="cChZNFj6T5R0TigYB9yd1w",
  oauth_nonce="a9900fe68e2573b27a37f10fbad6a755",
  oauth_signature_method="HMAC-SHA1",
  oauth_timestamp="1318467427",
  oauth_token="NPcudxy0yU5T3tBzho7iCotZ3cnetKwcTIRlX0iwRl0",
  oauth_verifier="uw7NjWHT6OJ1MpJOXsHfNxoAhPKpgI8BlYDhxEjIBY",
  oauth_version="1.0",
  oauth_signature="39cipBtIOHEEnybAR4sATQTpl2I%3D"

The parameters for this request are conveyed in the Authorization header. Let's examine them.

  • oauth_consumer_key: Identifies the application to the service provider. This is assigned when registering the application with Twitter.

  • oauth_nonce: A random string uniquely generated by Passport for each request, used to help prevent replay attacks.

  • oauth_signature_method: The signature method used to sign the request.

  • oauth_timestamp: The number of seconds since January 1, 1970 00:00:00 GMT.

  • oauth_token: The request token obtained previously which the user has now either authorized or denied.

  • oauth_verifier: The verification code received previously as a parameter when the service provider redirected the user back to the application's callback URL.

  • oauth_version: The version of OAuth used to authorize the request, set to "1.0".

  • oauth_signature: A cryptographic signature used to authenticate the request. Passport computes this automatically using the application's consumer secret and the request token secret.

When Twitter receives this request, it authenticates the application by verifying that the signature was produced by the corresponding consumer key and secret along with the request token secret. It then verifies that the request token is valid and was issued to the authenticated application. Finally, it verifies that verification code is valid.

If the request is valid and authorized, Twitter issues an access token:

HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded

oauth_token=7588892-kagSNqWge8gB1WwE3plnFsJHAZVfxWD7Vb57p0b4&
oauth_token_secret=PbKfYqSryyeKDWz4ebtY3o5ogNLG11WJuZBc9fQrQo

Let's examine the parameters in this response.

  • oauth_token: An access token.

  • oauth_token_secret: A shared secret used to cryptographically demonstrate ownership of the access token when accessing protected resources.

Now that the application has obtained an access token, it can access the user profile.

SEARCH FOR STRATEGIES

0STRATEGIES