Passing oAuth parameters in REST request

Question

I have a spec for a project that accesses a third party remote API RESTfully and requires oAuth. The spec includes the following text:

Access to the API requires the use of the OAuth protocol. A per-organisation shared secret / access key combination prevents access from unauthorised parties. Because the service endpoint identifies the organisation, no other parameters are expected to be passed in the OAuth header that encapsulates the REST request.

Of this, I don't fully understand the following:

Because the service endpoint identifies the organisation, no other parameters are expected to be passed in the OAuth header that encapsulates the REST request.

abraham · Accepted Answer

oauth_* parameters can be passed either in the Authorization header or as URL params. I read that quote as meaning if you pass the oauth_* values in the Authorization header don't include other values in the header.

OAuth params as a header:

 GET /initiate?foo=bar HTTP/1.1
 Host: photos.example.net
 Authorization: OAuth realm="Photos",
    oauth_consumer_key="dpf43f3p2l4k3l03",
    oauth_signature_method="HMAC-SHA1",
    oauth_timestamp="137131200",
    oauth_nonce="wIjqoS",
    oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
    oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

OAuth params in the URL:

 GET /initiate?foo=bar&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_signature_method=HMAC-SHA1&oauth_timestamp=137131200&oauth_nonce=wIjqoS&oauth_callback=http%3A%2F%2Fprinter.example.com%2Fready&oauth_signature=74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D HTTP/1.1
 Host: photos.example.net

Passing oAuth parameters in REST request

Answers (1)

Related Questions