Are Oauth consumer tokens and secrets user specific?

Question

I am stuck and confused on the literature surrounding OAuth. Let's say we want to connect to an OAuth provider, twitter. And we have mysite.com, it has various users, and some of them also have a twitter account. Do I need a separate consumer key and/or separate consumer secret for each user, or do I have only 1 pair of those?

Answer 1

A consumer key and secret pair are app specific and each app will be one key/secret pair. An app could be a mobile app, a website, or just a script hiding on your computer. For example Twitter has a different consumer key/secret for Twitter for Android, Twitter for iOS, and Twitter for Mac.

Every user has to authorize each app (aka consumer key/secret pair) specifically and will have an access token and secret pair that uniquely identifies that the user has authorized that specific consumer key.

Answer 2

Yes.

A request token is associated only with the consumer (Mysite) until the moment a particular user authorizes it.

An access token knows the consumer (Mysite) and the user it is applicable to. The guy possessing it identifies as Mysite and can perform actions on behalf of that user.

---

Here is how oauth-php implements it: http://code.google.com/p/oauth-php/source/browse/trunk/library/store/mysql/mysql.sql

#
# ////////////////// SERVER SIDE /////////////////
#

# Table holding consumer key/secret combos an user issued to consumers. 
# Used for verification of incoming requests.

CREATE TABLE IF NOT EXISTS oauth_server_registry (
    osr_id                      int(11) not null auto_increment,
    osr_usa_id_ref              int(11),
    osr_consumer_key            varchar(64) binary not null,
    osr_consumer_secret         varchar(64) binary not null,
    osr_enabled                 tinyint(1) not null default '1',
    osr_status                  varchar(16) not null,
    osr_requester_name          varchar(64) not null,
    osr_requester_email         varchar(64) not null,
    osr_callback_uri            varchar(255) not null,
    osr_application_uri         varchar(255) not null,
    osr_application_title       varchar(80) not null,
    osr_application_descr       text not null,
    osr_application_notes       text not null,
    osr_application_type        varchar(20) not null,
    osr_application_commercial  tinyint(1) not null default '0',
    osr_issue_date              datetime not null,
    osr_timestamp               timestamp not null default current_timestamp,

    primary key (osr_id),
    unique key (osr_consumer_key),
    key (osr_usa_id_ref)

#   , foreign key (osr_usa_id_ref) references any_user_auth(usa_id_ref)
#       on update cascade
#       on delete set null
) engine=InnoDB default charset=utf8;


CREATE TABLE IF NOT EXISTS oauth_server_token (
    ost_id                  int(11) not null auto_increment,
    ost_osr_id_ref          int(11) not null,
    ost_usa_id_ref          int(11) not null,
    ost_token               varchar(64) binary not null,
    ost_token_secret        varchar(64) binary not null,
    ost_token_type          enum('request','access'),
    ost_authorized          tinyint(1) not null default '0',
        ost_referrer_host       varchar(128) not null default '',
        ost_token_ttl           datetime not null default '9999-12-31',
    ost_timestamp           timestamp not null default current_timestamp,
    ost_verifier            char(10),
    ost_callback_url        varchar(512),

        primary key (ost_id),
    unique key (ost_token),
    key (ost_osr_id_ref),
        key (ost_token_ttl),

        foreign key (ost_osr_id_ref) references oauth_server_registry (osr_id)
        on update cascade
        on delete cascade

#   , foreign key (ost_usa_id_ref) references any_user_auth (usa_id_ref)
#       on update cascade
#       on delete cascade           
) engine=InnoDB default charset=utf8;