Reputation: 14954
OAuth Spec: why do some implementations return an access_token + access_token_secret and others just an access token?
Case in point:
The Facebook https://graph.facebook.com/oauth/access_token endpoint, in handing off a code for an access token, returns the access_token and expires. Instagram seems to do the same.
On the other hand, the Twitter https://api.twitter.com/oauth/access_token returns both an access_token and an access_token secret.
Subsequently, when accessing Facebook API endpoints, I just send the access_token with the request. On the other hand, accessing Twitter endpoints requires signing the request with the secret as well.
The reason I ask: I'm implementing my own OAuth web app API, and would like to make sure I conform properly to standards. I designed it initially to act like Twitter, but I don't understand why Facebook & Instagram act in the way they do.
Upvotes: 1
Views: 155
Answers (1)
Reputation: 4978
Facebook and Instagram use the OAuth 2.0 protocol whereas Twitter uses the OAuth 1.0a protocol. The posts here and here may help you understand the differences.
Upvotes: 2
Related Questions
- What's the purpose of the client secret in OAuth2?
- Clarification on id_token vs access_token
- oAuth2.0: Why need "authorization-code" and only then the token?
- Why does oauth protocol use two steps to retrieve access_token instead of doing it in just one?
- How does Oauth2 (Bearer token) work when getting access_token
- What's so secret about the OAuth secret?
- Understanding Oauth2
- Understanding the need of client id, client secret in oauth 2.0
- Why does OAuth provide both an access token and an access token secret? Why not just a single value?
- oAuth2.0 access token confusion