Why does an authorized OAuth request token need to be exchanged for an access token?

Posted by Joe Shaw on Stack Overflow See other posts from Stack Overflow or by Joe Shaw
Published on 2010-05-22T03:12:41Z Indexed on 2010/05/22 3:20 UTC
Read the original article Hit count: 201

Filed under:

oauth

I'm wondering what the reasons are for OAuth to require a round-trip to the data provider to exchange an authorized request token for an access token.

My understanding of the OAuth workflow is:

Requesting site (consumer) gets a request token from the data provider site (service provider).
Requesting site asks the data provider site to authenticate the user, passing in a callback.
Once the user has been authenticated and authorized the requesting site, the user is directed back to the requesting site (consumer) via the callback provided which passes back the now-authorized request token and a verification code.
The requesting site exchanges the request token for an access token.
The requesting site uses the access token to get data from the data provider site.

Assuming I got that right, why couldn't the callback simply provide the access token to the requesting site directly in step 3, eliminating step 4? Why is the request to exchange the request token for the access token necessary? Does it exist solely for consumers that require users to enter the verification code manually, with the thought that it would be shorter and simpler than the access token itself?

Related posts about oauth

Issues POSTing XML to OAuth and Signature Invalid with Ruby OAuth Gem

as seen on Stack Overflow - Search for 'Stack Overflow'
[Cross-posted from the OAuth Ruby Google Group. If you couldn't help me there, don't worry bout it] I'm working on integrating a project with TripIt's OAuth API and am running into a weird issue. I authenticate fine, I store and retrieve the token/secret for a given user with no problem, I can even… >>> More
how do i install PHP with JSON and OAuth on Mac Snow Leopard?

as seen on Server Fault - Search for 'Server Fault'
i want to use the dropbox api via this library http://code.google.com/p/dropbox-php/ i installed MAMP then I tried "sudo pecl install oauth" but I got downloading oauth-1.0.0.tgz ... Starting to download oauth-1.0.0.tgz (42,834 bytes) ............done:… >>> More
How do I install PHP with JSON and OAuth on Mac Snow Leopard?

as seen on Server Fault - Search for 'Server Fault'
I want to use the Dropbox API via this library, http://code.google.com/p/dropbox-php/. I installed MAMP, and then I tried sudo pecl install oauth but I got the following. >>>> downloading oauth-1.0.0.tgz ... Starting to download oauth-1.0.0.tgz (42,834 bytes) ............done: 42… >>> More
Oauth for Google API example using Python / Django

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, I am trying to get Oauth working with the Google API using Python. I have tried different oauth libraries such as oauth, oauth2 and djanog-oauth but I cannot get it to work (including the provided examples). For debugging Oauth I use Google's Oauth Playground and I have studied the API and the… >>> More
OAuth::Problem (parameter_absent)

as seen on Stack Overflow - Search for 'Stack Overflow'
Im working with OAuth 0.3.6 and the linkedin gem for a Rails application and I have this issue where OAuth throws an error saying that OAuth::Problem (parameter_absent). The thing is it doesn't throw the error on every occasion its called and the problem is I am unable to reproduce the issue locally… >>> More

Developer IT