It’s All About the Token

What will eventually become OAuth 2.0 is taking a first step.

After a couple weeks of intense discussions on the OAuth WG list, I pushed out a new draft defining the Token Access Authentication Scheme. The new scheme replaces the OAuth authentication scheme defined in OAuth 1.0, and defines instead a general purpose authentication scheme for both 2-legged and 3-legged use cases. It builds directly on the experience and ideas in OAuth 1.0 but significantly simplifies the protocol.

The new draft removes all the parameter encoding from the first version at the expense of removing support for some features. The most noticeable change is lack of specific support for query or form-encoded parameters. Query parameters are now included as part of the request URI as an opaque string. Body form-encoded parameter can be included by hashing the entire raw body.

Another big change is removing support for transmitting credentials using the URI query of form-encoded body parameters. The new scheme uses the HTTP Authentication framework exclusively and requires the use of the HTTP Authorization header field to send authentication parameters.

For example:


GET /resource/1 HTTP/1.1
Host: example.com
Authorization: Token token="h480djs93hd8",
               method="hmac-sha-1",
               timestamp="137131200",
               nonce="dj83hs9s",
               auth="djosJKDKJSD8743243/jdk33klY="

4 thoughts on “It’s All About the Token

  1. The only issue I’d have with using HTTP auth for this is the default for Apache to not pass that information onto CGI scripts. Probably the most common is when PHP is run under Apache via CGI instead of with mod_php.

  2. I don’t quite understand OAuth, but to be able to intersect with others who do should aid in a better understanding. Thanks for the update

Comments are closed.