OAuth 1.0 RFC Edition

OAuth ShinePending approval by the IESG, the IETF governing body which provides the final technical review of Internet standards, my OAuth Core 1.0 Rev A rewrite will be published as an informational RFC. This has been a time consuming effort which focused on two goals: increase the usefulness and readability of the document (an area the current specification lacks significantly), and address a list of known errata that has been identified over the past two years.
From an editorial perspective, this is a brand new specification. While it details the same protocol, it does so in very different terms, narrative, and detail. The majority of the specification was written from scratch using valuable feedback I collected over the past two years from those who were kind enough to provide detailed notes (and sometimes justified rants).

The new edition moves OAuth closed to the HTTP transport layer, explaining how the protocol interacts with HTTP requests. It also aligns its terminology with that of HTTP, discarding much of the invented terms (e.g. Consumer Key, Request Token). And most importantly, it separates between the authentication and authorization components, placing each in a separate section.

But what will matter most to implementers are the protocol changes and clarifications made in the new edition. The changes are listed in an appendix but they are worth highlighting here:

  • Adjusted nonce language to indicate it is unique per token/timestamp/client combination.
  • Removed the requirement for timestamps to be equal to or greater than the timestamp used in the previous request.
  • Changed the nonce and timestamp parameters to OPTIONAL when using the PLAINTEXT signature method.
  • Extended signature base string coverage which includes ‘application/x-www-form-urlencoded’ entity-body parameters when the HTTP method used is other than POST and URI query parameters when the HTTP method used is other than GET.
  • Incorporated corrections to the instructions in each signature method to encode the signature value before inserting it into the ‘oauth_signature’ parameter, removing errors which would have caused double-encoded values.
  • Allowed omitting the ‘oauth_token’ parameter when empty.
  • Permitted sending requests for temporary credentials with an empty ‘oauth_token’ parameter.
  • Removed the restrictions from defining additional ‘oauth_’ parameters.

In my next post I will translate this list into code changes service providers and library developers should make in order to align their code with this new draft. We plan to point visitors to the http://oauth.net site to the new draft shortly, and would like to give developers some time to familiarize themselves with these changes.