The OAuth 1.0 Guide

OAuth Core 1.0 (also known as RFC 5849), the community-based specification published on December 4th, 2007, revised June 24th, 2009, and finalized in April 2010 is one of the fastest growing Open Web specifications. It provides a much needed solution for security web APIs without requiring users to share their usernames and passwords.

This guide attempts to explain OAuth by taking a look at its history, architecture, and technical details. It is written primarily for developers looking to implement services offering secure APIs or developers implementing clients using OAuth-protected services.

The OAuth specification has gone through a few complete rewrites. The final revision was made at the end of 2009 as part of the effort to publish OAuth 1.0 as an RFC, which concluded in April 2010 with the publication of RFC 5849. This guide is based on the final edition which changed the document structure and terminology to better align OAuth with HTTP and other web standards.

OAuth 2.0 attempted to replace 1.0 with a simpler protocol but ended up creating a loose framework that is very hard to implement securely. The OAuth 2.0 specification ended up being so poorly done, that I removed my name from it as author.