diff options
Diffstat (limited to 'doc/rfc/rfc5849.txt')
-rw-r--r-- | doc/rfc/rfc5849.txt | 2131 |
1 files changed, 2131 insertions, 0 deletions
diff --git a/doc/rfc/rfc5849.txt b/doc/rfc/rfc5849.txt new file mode 100644 index 0000000..636814d --- /dev/null +++ b/doc/rfc/rfc5849.txt @@ -0,0 +1,2131 @@ + + + + + + +Internet Engineering Task Force (IETF) E. Hammer-Lahav, Ed. +Request for Comments: 5849 April 2010 +Category: Informational +ISSN: 2070-1721 + + + The OAuth 1.0 Protocol + +Abstract + + OAuth provides a method for clients to access server resources on + behalf of a resource owner (such as a different client or an end- + user). It also provides a process for end-users to authorize third- + party access to their server resources without sharing their + credentials (typically, a username and password pair), using user- + agent redirections. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc5849. + +Copyright Notice + + Copyright (c) 2010 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + + + +Hammer-Lahav Informational [Page 1] + +RFC 5849 OAuth 1.0 April 2010 + + +Table of Contents + + 1. Introduction ....................................................3 + 1.1. Terminology ................................................4 + 1.2. Example ....................................................5 + 1.3. Notational Conventions .....................................7 + 2. Redirection-Based Authorization .................................8 + 2.1. Temporary Credentials ......................................9 + 2.2. Resource Owner Authorization ..............................10 + 2.3. Token Credentials .........................................12 + 3. Authenticated Requests .........................................14 + 3.1. Making Requests ...........................................14 + 3.2. Verifying Requests ........................................16 + 3.3. Nonce and Timestamp .......................................17 + 3.4. Signature .................................................18 + 3.4.1. Signature Base String ..............................18 + 3.4.2. HMAC-SHA1 ..........................................25 + 3.4.3. RSA-SHA1 ...........................................25 + 3.4.4. PLAINTEXT ..........................................26 + 3.5. Parameter Transmission ....................................26 + 3.5.1. Authorization Header ...............................27 + 3.5.2. Form-Encoded Body ..................................28 + 3.5.3. Request URI Query ..................................28 + 3.6. Percent Encoding ..........................................29 + 4. Security Considerations ........................................29 + 4.1. RSA-SHA1 Signature Method .................................29 + 4.2. Confidentiality of Requests ...............................30 + 4.3. Spoofing by Counterfeit Servers ...........................30 + 4.4. Proxying and Caching of Authenticated Content .............30 + 4.5. Plaintext Storage of Credentials ..........................30 + 4.6. Secrecy of the Client Credentials .........................31 + 4.7. Phishing Attacks ..........................................31 + 4.8. Scoping of Access Requests ................................31 + 4.9. Entropy of Secrets ........................................32 + 4.10. Denial-of-Service / Resource-Exhaustion Attacks ..........32 + 4.11. SHA-1 Cryptographic Attacks ..............................33 + 4.12. Signature Base String Limitations ........................33 + 4.13. Cross-Site Request Forgery (CSRF) ........................33 + 4.14. User Interface Redress ...................................34 + 4.15. Automatic Processing of Repeat Authorizations ............34 + 5. Acknowledgments ................................................35 + Appendix A. Differences from the Community Edition ...............36 + 6. References .....................................................37 + 6.1. Normative References ......................................37 + 6.2. Informative References ....................................38 + + + + + + +Hammer-Lahav Informational [Page 2] + +RFC 5849 OAuth 1.0 April 2010 + + +1. Introduction + + The OAuth protocol was originally created by a small community of web + developers from a variety of websites and other Internet services who + wanted to solve the common problem of enabling delegated access to + protected resources. The resulting OAuth protocol was stabilized at + version 1.0 in October 2007, and revised in June 2009 (Revision A) as + published at <http://oauth.net/core/1.0a>. + + This specification provides an informational documentation of OAuth + Core 1.0 Revision A, addresses several errata reported since that + time, and makes numerous editorial clarifications. While this + specification is not an item of the IETF's OAuth Working Group, which + at the time of writing is working on an OAuth version that can be + appropriate for publication on the standards track, it has been + transferred to the IETF for change control by authors of the original + work. + + In the traditional client-server authentication model, the client + uses its credentials to access its resources hosted by the server. + With the increasing use of distributed web services and cloud + computing, third-party applications require access to these server- + hosted resources. + + OAuth introduces a third role to the traditional client-server + authentication model: the resource owner. In the OAuth model, the + client (which is not the resource owner, but is acting on its behalf) + requests access to resources controlled by the resource owner, but + hosted by the server. In addition, OAuth allows the server to verify + not only the resource owner authorization, but also the identity of + the client making the request. + + OAuth provides a method for clients to access server resources on + behalf of a resource owner (such as a different client or an end- + user). It also provides a process for end-users to authorize third- + party access to their server resources without sharing their + credentials (typically, a username and password pair), using user- + agent redirections. + + For example, a web user (resource owner) can grant a printing service + (client) access to her private photos stored at a photo sharing + service (server), without sharing her username and password with the + printing service. Instead, she authenticates directly with the photo + sharing service which issues the printing service delegation-specific + credentials. + + + + + + +Hammer-Lahav Informational [Page 3] + +RFC 5849 OAuth 1.0 April 2010 + + + In order for the client to access resources, it first has to obtain + permission from the resource owner. This permission is expressed in + the form of a token and matching shared-secret. The purpose of the + token is to make it unnecessary for the resource owner to share its + credentials with the client. Unlike the resource owner credentials, + tokens can be issued with a restricted scope and limited lifetime, + and revoked independently. + + This specification consists of two parts. The first part defines a + redirection-based user-agent process for end-users to authorize + client access to their resources, by authenticating directly with the + server and provisioning tokens to the client for use with the + authentication method. The second part defines a method for making + authenticated HTTP [RFC2616] requests using two sets of credentials, + one identifying the client making the request, and a second + identifying the resource owner on whose behalf the request is being + made. + + The use of OAuth with any transport protocol other than [RFC2616] is + undefined. + +1.1. Terminology + + client + An HTTP client (per [RFC2616]) capable of making OAuth- + authenticated requests (Section 3). + + server + An HTTP server (per [RFC2616]) capable of accepting OAuth- + authenticated requests (Section 3). + + protected resource + An access-restricted resource that can be obtained from the + server using an OAuth-authenticated request (Section 3). + + resource owner + An entity capable of accessing and controlling protected + resources by using credentials to authenticate with the server. + + credentials + Credentials are a pair of a unique identifier and a matching + shared secret. OAuth defines three classes of credentials: + client, temporary, and token, used to identify and authenticate + the client making the request, the authorization request, and + the access grant, respectively. + + + + + + +Hammer-Lahav Informational [Page 4] + +RFC 5849 OAuth 1.0 April 2010 + + + token + A unique identifier issued by the server and used by the client + to associate authenticated requests with the resource owner + whose authorization is requested or has been obtained by the + client. Tokens have a matching shared-secret that is used by + the client to establish its ownership of the token, and its + authority to represent the resource owner. + + The original community specification used a somewhat different + terminology that maps to this specifications as follows (original + community terms provided on left): + + Consumer: client + + Service Provider: server + + User: resource owner + + Consumer Key and Secret: client credentials + + Request Token and Secret: temporary credentials + + Access Token and Secret: token credentials + +1.2. Example + + Jane (resource owner) has recently uploaded some private vacation + photos (protected resources) to her photo sharing site + 'photos.example.net' (server). She would like to use the + 'printer.example.com' website (client) to print one of these photos. + Typically, Jane signs into 'photos.example.net' using her username + and password. + + However, Jane does not wish to share her username and password with + the 'printer.example.com' website, which needs to access the photo in + order to print it. In order to provide its users with better + service, 'printer.example.com' has signed up for a set of + 'photos.example.net' client credentials ahead of time: + + Client Identifier + dpf43f3p2l4k3l03 + + Client Shared-Secret: + kd94hf93k423kf44 + + The 'printer.example.com' website has also configured its application + to use the protocol endpoints listed in the 'photos.example.net' API + documentation, which use the "HMAC-SHA1" signature method: + + + +Hammer-Lahav Informational [Page 5] + +RFC 5849 OAuth 1.0 April 2010 + + + Temporary Credential Request + https://photos.example.net/initiate + + Resource Owner Authorization URI: + https://photos.example.net/authorize + + Token Request URI: + https://photos.example.net/token + + Before 'printer.example.com' can ask Jane to grant it access to the + photos, it must first establish a set of temporary credentials with + 'photos.example.net' to identify the delegation request. To do so, + the client sends the following HTTPS [RFC2818] request to the server: + + POST /initiate HTTP/1.1 + Host: photos.example.net + Authorization: OAuth realm="Photos", + oauth_consumer_key="dpf43f3p2l4k3l03", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131200", + oauth_nonce="wIjqoS", + oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready", + oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D" + + The server validates the request and replies with a set of temporary + credentials in the body of the HTTP response (line breaks are for + display purposes only): + + HTTP/1.1 200 OK + Content-Type: application/x-www-form-urlencoded + + oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03& + oauth_callback_confirmed=true + + The client redirects Jane's user-agent to the server's Resource Owner + Authorization endpoint to obtain Jane's approval for accessing her + private photos: + + https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola + + The server requests Jane to sign in using her username and password + and if successful, asks her to approve granting 'printer.example.com' + access to her private photos. Jane approves the request and her + user-agent is redirected to the callback URI provided by the client + in the previous request (line breaks are for display purposes only): + + http://printer.example.com/ready? + oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884 + + + +Hammer-Lahav Informational [Page 6] + +RFC 5849 OAuth 1.0 April 2010 + + + The callback request informs the client that Jane completed the + authorization process. The client then requests a set of token + credentials using its temporary credentials (over a secure Transport + Layer Security (TLS) channel): + + POST /token HTTP/1.1 + Host: photos.example.net + Authorization: OAuth realm="Photos", + oauth_consumer_key="dpf43f3p2l4k3l03", + oauth_token="hh5s93j4hdidpola", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131201", + oauth_nonce="walatlh", + oauth_verifier="hfdp7dh39dks9884", + oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D" + + The server validates the request and replies with a set of token + credentials in the body of the HTTP response: + + HTTP/1.1 200 OK + Content-Type: application/x-www-form-urlencoded + + oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00 + + With a set of token credentials, the client is now ready to request + the private photo: + + GET /photos?file=vacation.jpg&size=original HTTP/1.1 + Host: photos.example.net + Authorization: OAuth realm="Photos", + oauth_consumer_key="dpf43f3p2l4k3l03", + oauth_token="nnch734d00sl2jdk", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131202", + oauth_nonce="chapoH", + oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D" + + The 'photos.example.net' server validates the request and responds + with the requested photo. 'printer.example.com' is able to continue + accessing Jane's private photos using the same set of token + credentials for the duration of Jane's authorization, or until Jane + revokes access. + +1.3. Notational Conventions + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + +Hammer-Lahav Informational [Page 7] + +RFC 5849 OAuth 1.0 April 2010 + + +2. Redirection-Based Authorization + + OAuth uses tokens to represent the authorization granted to the + client by the resource owner. Typically, token credentials are + issued by the server at the resource owner's request, after + authenticating the resource owner's identity (usually using a + username and password). + + There are many ways in which a server can facilitate the provisioning + of token credentials. This section defines one such way, using HTTP + redirections and the resource owner's user-agent. This redirection- + based authorization method includes three steps: + + 1. The client obtains a set of temporary credentials from the server + (in the form of an identifier and shared-secret). The temporary + credentials are used to identify the access request throughout + the authorization process. + + 2. The resource owner authorizes the server to grant the client's + access request (identified by the temporary credentials). + + 3. The client uses the temporary credentials to request a set of + token credentials from the server, which will enable it to access + the resource owner's protected resources. + + The server MUST revoke the temporary credentials after being used + once to obtain the token credentials. It is RECOMMENDED that the + temporary credentials have a limited lifetime. Servers SHOULD enable + resource owners to revoke token credentials after they have been + issued to clients. + + In order for the client to perform these steps, the server needs to + advertise the URIs of the following three endpoints: + + Temporary Credential Request + The endpoint used by the client to obtain a set of temporary + credentials as described in Section 2.1. + + Resource Owner Authorization + The endpoint to which the resource owner is redirected to grant + authorization as described in Section 2.2. + + Token Request + The endpoint used by the client to request a set of token + credentials using the set of temporary credentials as described + in Section 2.3. + + + + + +Hammer-Lahav Informational [Page 8] + +RFC 5849 OAuth 1.0 April 2010 + + + The three URIs advertised by the server MAY include a query component + as defined by [RFC3986], Section 3, but if present, the query MUST + NOT contain any parameters beginning with the "oauth_" prefix, to + avoid conflicts with the protocol parameters added to the URIs when + used. + + The methods in which the server advertises and documents its three + endpoints are beyond the scope of this specification. Clients should + avoid making assumptions about the size of tokens and other server- + generated values, which are left undefined by this specification. In + addition, protocol parameters MAY include values that require + encoding when transmitted. Clients and servers should not make + assumptions about the possible range of their values. + +2.1. Temporary Credentials + + The client obtains a set of temporary credentials from the server by + making an authenticated (Section 3) HTTP "POST" request to the + Temporary Credential Request endpoint (unless the server advertises + another HTTP request method for the client to use). The client + constructs a request URI by adding the following REQUIRED parameter + to the request (in addition to the other protocol parameters, using + the same parameter transmission method): + + oauth_callback: An absolute URI back to which the server will + redirect the resource owner when the Resource Owner + Authorization step (Section 2.2) is completed. If + the client is unable to receive callbacks or a + callback URI has been established via other means, + the parameter value MUST be set to "oob" (case + sensitive), to indicate an out-of-band + configuration. + + Servers MAY specify additional parameters. + + When making the request, the client authenticates using only the + client credentials. The client MAY omit the empty "oauth_token" + protocol parameter from the request and MUST use the empty string as + the token secret value. + + Since the request results in the transmission of plain text + credentials in the HTTP response, the server MUST require the use of + a transport-layer mechanisms such as TLS or Secure Socket Layer (SSL) + (or a secure channel with equivalent protections). + + + + + + + +Hammer-Lahav Informational [Page 9] + +RFC 5849 OAuth 1.0 April 2010 + + + For example, the client makes the following HTTPS request: + + POST /request_temp_credentials HTTP/1.1 + Host: server.example.com + Authorization: OAuth realm="Example", + oauth_consumer_key="jd83jd92dhsh93js", + oauth_signature_method="PLAINTEXT", + oauth_callback="http%3A%2F%2Fclient.example.net%2Fcb%3Fx%3D1", + oauth_signature="ja893SD9%26" + + The server MUST verify (Section 3.2) the request and if valid, + respond back to the client with a set of temporary credentials (in + the form of an identifier and shared-secret). The temporary + credentials are included in the HTTP response body using the + "application/x-www-form-urlencoded" content type as defined by + [W3C.REC-html40-19980424] with a 200 status code (OK). + + The response contains the following REQUIRED parameters: + + oauth_token + The temporary credentials identifier. + + oauth_token_secret + The temporary credentials shared-secret. + + oauth_callback_confirmed + MUST be present and set to "true". The parameter is used to + differentiate from previous versions of the protocol. + + Note that even though the parameter names include the term 'token', + these credentials are not token credentials, but are used in the next + two steps in a similar manner to token credentials. + + For example (line breaks are for display purposes only): + + HTTP/1.1 200 OK + Content-Type: application/x-www-form-urlencoded + + oauth_token=hdk48Djdsa&oauth_token_secret=xyz4992k83j47x0b& + oauth_callback_confirmed=true + +2.2. Resource Owner Authorization + + Before the client requests a set of token credentials from the + server, it MUST send the user to the server to authorize the request. + The client constructs a request URI by adding the following REQUIRED + query parameter to the Resource Owner Authorization endpoint URI: + + + + +Hammer-Lahav Informational [Page 10] + +RFC 5849 OAuth 1.0 April 2010 + + + oauth_token + The temporary credentials identifier obtained in Section 2.1 in + the "oauth_token" parameter. Servers MAY declare this + parameter as OPTIONAL, in which case they MUST provide a way + for the resource owner to indicate the identifier through other + means. + + Servers MAY specify additional parameters. + + The client directs the resource owner to the constructed URI using an + HTTP redirection response, or by other means available to it via the + resource owner's user-agent. The request MUST use the HTTP "GET" + method. + + For example, the client redirects the resource owner's user-agent to + make the following HTTPS request: + + GET /authorize_access?oauth_token=hdk48Djdsa HTTP/1.1 + Host: server.example.com + + The way in which the server handles the authorization request, + including whether it uses a secure channel such as TLS/SSL is beyond + the scope of this specification. However, the server MUST first + verify the identity of the resource owner. + + When asking the resource owner to authorize the requested access, the + server SHOULD present to the resource owner information about the + client requesting access based on the association of the temporary + credentials with the client identity. When displaying any such + information, the server SHOULD indicate if the information has been + verified. + + After receiving an authorization decision from the resource owner, + the server redirects the resource owner to the callback URI if one + was provided in the "oauth_callback" parameter or by other means. + + To make sure that the resource owner granting access is the same + resource owner returning back to the client to complete the process, + the server MUST generate a verification code: an unguessable value + passed to the client via the resource owner and REQUIRED to complete + the process. The server constructs the request URI by adding the + following REQUIRED parameters to the callback URI query component: + + oauth_token + The temporary credentials identifier received from the client. + + + + + + +Hammer-Lahav Informational [Page 11] + +RFC 5849 OAuth 1.0 April 2010 + + + oauth_verifier + The verification code. + + If the callback URI already includes a query component, the server + MUST append the OAuth parameters to the end of the existing query. + + For example, the server redirects the resource owner's user-agent to + make the following HTTP request: + + GET /cb?x=1&oauth_token=hdk48Djdsa&oauth_verifier=473f82d3 HTTP/1.1 + Host: client.example.net + + If the client did not provide a callback URI, the server SHOULD + display the value of the verification code, and instruct the resource + owner to manually inform the client that authorization is completed. + If the server knows a client to be running on a limited device, it + SHOULD ensure that the verifier value is suitable for manual entry. + +2.3. Token Credentials + + The client obtains a set of token credentials from the server by + making an authenticated (Section 3) HTTP "POST" request to the Token + Request endpoint (unless the server advertises another HTTP request + method for the client to use). The client constructs a request URI + by adding the following REQUIRED parameter to the request (in + addition to the other protocol parameters, using the same parameter + transmission method): + + oauth_verifier + The verification code received from the server in the previous + step. + + When making the request, the client authenticates using the client + credentials as well as the temporary credentials. The temporary + credentials are used as a substitute for token credentials in the + authenticated request and transmitted using the "oauth_token" + parameter. + + Since the request results in the transmission of plain text + credentials in the HTTP response, the server MUST require the use of + a transport-layer mechanism such as TLS or SSL (or a secure channel + with equivalent protections). + + + + + + + + + +Hammer-Lahav Informational [Page 12] + +RFC 5849 OAuth 1.0 April 2010 + + + For example, the client makes the following HTTPS request: + + POST /request_token HTTP/1.1 + Host: server.example.com + Authorization: OAuth realm="Example", + oauth_consumer_key="jd83jd92dhsh93js", + oauth_token="hdk48Djdsa", + oauth_signature_method="PLAINTEXT", + oauth_verifier="473f82d3", + oauth_signature="ja893SD9%26xyz4992k83j47x0b" + + The server MUST verify (Section 3.2) the validity of the request, + ensure that the resource owner has authorized the provisioning of + token credentials to the client, and ensure that the temporary + credentials have not expired or been used before. The server MUST + also verify the verification code received from the client. If the + request is valid and authorized, the token credentials are included + in the HTTP response body using the + "application/x-www-form-urlencoded" content type as defined by + [W3C.REC-html40-19980424] with a 200 status code (OK). + + The response contains the following REQUIRED parameters: + + oauth_token + The token identifier. + + oauth_token_secret + The token shared-secret. + + For example: + + HTTP/1.1 200 OK + Content-Type: application/x-www-form-urlencoded + + oauth_token=j49ddk933skd9dks&oauth_token_secret=ll399dj47dskfjdk + + The server must retain the scope, duration, and other attributes + approved by the resource owner, and enforce these restrictions when + receiving a client request made with the token credentials issued. + + Once the client receives and stores the token credentials, it can + proceed to access protected resources on behalf of the resource owner + by making authenticated requests (Section 3) using the client + credentials together with the token credentials received. + + + + + + + +Hammer-Lahav Informational [Page 13] + +RFC 5849 OAuth 1.0 April 2010 + + +3. Authenticated Requests + + The HTTP authentication methods defined by [RFC2617] enable clients + to make authenticated HTTP requests. Clients using these methods + gain access to protected resources by using their credentials + (typically, a username and password pair), which allow the server to + verify their authenticity. Using these methods for delegation + requires the client to assume the role of the resource owner. + + OAuth provides a method designed to include two sets of credentials + with each request, one to identify the client, and another to + identify the resource owner. Before a client can make authenticated + requests on behalf of the resource owner, it must obtain a token + authorized by the resource owner. Section 2 provides one such method + through which the client can obtain a token authorized by the + resource owner. + + The client credentials take the form of a unique identifier and an + associated shared-secret or RSA key pair. Prior to making + authenticated requests, the client establishes a set of credentials + with the server. The process and requirements for provisioning these + are outside the scope of this specification. Implementers are urged + to consider the security ramifications of using client credentials, + some of which are described in Section 4.6. + + Making authenticated requests requires prior knowledge of the + server's configuration. OAuth includes multiple methods for + transmitting protocol parameters with requests (Section 3.5), as well + as multiple methods for the client to prove its rightful ownership of + the credentials used (Section 3.4). The way in which clients + discover the required configuration is outside the scope of this + specification. + +3.1. Making Requests + + An authenticated request includes several protocol parameters. Each + parameter name begins with the "oauth_" prefix, and the parameter + names and values are case sensitive. Clients make authenticated + requests by calculating the values of a set of protocol parameters + and adding them to the HTTP request as follows: + + 1. The client assigns value to each of these REQUIRED (unless + specified otherwise) protocol parameters: + + + + + + + + +Hammer-Lahav Informational [Page 14] + +RFC 5849 OAuth 1.0 April 2010 + + + oauth_consumer_key + The identifier portion of the client credentials (equivalent to + a username). The parameter name reflects a deprecated term + (Consumer Key) used in previous revisions of the specification, + and has been retained to maintain backward compatibility. + + oauth_token + The token value used to associate the request with the resource + owner. If the request is not associated with a resource owner + (no token available), clients MAY omit the parameter. + + oauth_signature_method + The name of the signature method used by the client to sign the + request, as defined in Section 3.4. + + oauth_timestamp + The timestamp value as defined in Section 3.3. The parameter + MAY be omitted when using the "PLAINTEXT" signature method. + + oauth_nonce + The nonce value as defined in Section 3.3. The parameter MAY + be omitted when using the "PLAINTEXT" signature method. + + oauth_version + OPTIONAL. If present, MUST be set to "1.0". Provides the + version of the authentication process as defined in this + specification. + + 2. The protocol parameters are added to the request using one of the + transmission methods listed in Section 3.5. Each parameter MUST + NOT appear more than once per request. + + 3. The client calculates and assigns the value of the + "oauth_signature" parameter as described in Section 3.4 and adds + the parameter to the request using the same method as in the + previous step. + + 4. The client sends the authenticated HTTP request to the server. + + For example, to make the following HTTP request authenticated (the + "c2&a3=2+q" string in the following examples is used to illustrate + the impact of a form-encoded entity-body): + + POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 + Host: example.com + Content-Type: application/x-www-form-urlencoded + + c2&a3=2+q + + + +Hammer-Lahav Informational [Page 15] + +RFC 5849 OAuth 1.0 April 2010 + + + The client assigns values to the following protocol parameters using + its client credentials, token credentials, the current timestamp, a + uniquely generated nonce, and indicates that it will use the + "HMAC-SHA1" signature method: + + oauth_consumer_key: 9djdj82h48djs9d2 + oauth_token: kkk9d7dh3k39sjv7 + oauth_signature_method: HMAC-SHA1 + oauth_timestamp: 137131201 + oauth_nonce: 7d8f3e4a + + The client adds the protocol parameters to the request using the + OAuth HTTP "Authorization" header field: + + Authorization: OAuth realm="Example", + oauth_consumer_key="9djdj82h48djs9d2", + oauth_token="kkk9d7dh3k39sjv7", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131201", + oauth_nonce="7d8f3e4a" + + Then, it calculates the value of the "oauth_signature" parameter + (using client secret "j49sk3j29djd" and token secret "dh893hdasih9"), + adds it to the request, and sends the HTTP request to the server: + + POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 + Host: example.com + Content-Type: application/x-www-form-urlencoded + Authorization: OAuth realm="Example", + oauth_consumer_key="9djdj82h48djs9d2", + oauth_token="kkk9d7dh3k39sjv7", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131201", + oauth_nonce="7d8f3e4a", + oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D" + + c2&a3=2+q + +3.2. Verifying Requests + + Servers receiving an authenticated request MUST validate it by: + + o Recalculating the request signature independently as described in + Section 3.4 and comparing it to the value received from the client + via the "oauth_signature" parameter. + + + + + + +Hammer-Lahav Informational [Page 16] + +RFC 5849 OAuth 1.0 April 2010 + + + o If using the "HMAC-SHA1" or "RSA-SHA1" signature methods, ensuring + that the combination of nonce/timestamp/token (if present) + received from the client has not been used before in a previous + request (the server MAY reject requests with stale timestamps as + described in Section 3.3). + + o If a token is present, verifying the scope and status of the + client authorization as represented by the token (the server MAY + choose to restrict token usage to the client to which it was + issued). + + o If the "oauth_version" parameter is present, ensuring its value is + "1.0". + + If the request fails verification, the server SHOULD respond with the + appropriate HTTP response status code. The server MAY include + further details about why the request was rejected in the response + body. + + The server SHOULD return a 400 (Bad Request) status code when + receiving a request with unsupported parameters, an unsupported + signature method, missing parameters, or duplicated protocol + parameters. The server SHOULD return a 401 (Unauthorized) status + code when receiving a request with invalid client credentials, an + invalid or expired token, an invalid signature, or an invalid or used + nonce. + +3.3. Nonce and Timestamp + + The timestamp value MUST be a positive integer. Unless otherwise + specified by the server's documentation, the timestamp is expressed + in the number of seconds since January 1, 1970 00:00:00 GMT. + + A nonce is a random string, uniquely generated by the client to allow + the server to verify that a request has never been made before and + helps prevent replay attacks when requests are made over a non-secure + channel. The nonce value MUST be unique across all requests with the + same timestamp, client credentials, and token combinations. + + To avoid the need to retain an infinite number of nonce values for + future checks, servers MAY choose to restrict the time period after + which a request with an old timestamp is rejected. Note that this + restriction implies a level of synchronization between the client's + and server's clocks. Servers applying such a restriction MAY provide + a way for the client to sync with the server's clock; alternatively, + both systems could synchronize with a trusted time service. Details + of clock synchronization strategies are beyond the scope of this + specification. + + + +Hammer-Lahav Informational [Page 17] + +RFC 5849 OAuth 1.0 April 2010 + + +3.4. Signature + + OAuth-authenticated requests can have two sets of credentials: those + passed via the "oauth_consumer_key" parameter and those in the + "oauth_token" parameter. In order for the server to verify the + authenticity of the request and prevent unauthorized access, the + client needs to prove that it is the rightful owner of the + credentials. This is accomplished using the shared-secret (or RSA + key) part of each set of credentials. + + OAuth provides three methods for the client to prove its rightful + ownership of the credentials: "HMAC-SHA1", "RSA-SHA1", and + "PLAINTEXT". These methods are generally referred to as signature + methods, even though "PLAINTEXT" does not involve a signature. In + addition, "RSA-SHA1" utilizes an RSA key instead of the shared- + secrets associated with the client credentials. + + OAuth does not mandate a particular signature method, as each + implementation can have its own unique requirements. Servers are + free to implement and document their own custom methods. + Recommending any particular method is beyond the scope of this + specification. Implementers should review the Security + Considerations section (Section 4) before deciding on which method to + support. + + The client declares which signature method is used via the + "oauth_signature_method" parameter. It then generates a signature + (or a string of an equivalent value) and includes it in the + "oauth_signature" parameter. The server verifies the signature as + specified for each method. + + The signature process does not change the request or its parameters, + with the exception of the "oauth_signature" parameter. + +3.4.1. Signature Base String + + The signature base string is a consistent, reproducible concatenation + of several of the HTTP request elements into a single string. The + string is used as an input to the "HMAC-SHA1" and "RSA-SHA1" + signature methods. + + The signature base string includes the following components of the + HTTP request: + + o The HTTP request method (e.g., "GET", "POST", etc.). + + o The authority as declared by the HTTP "Host" request header field. + + + + +Hammer-Lahav Informational [Page 18] + +RFC 5849 OAuth 1.0 April 2010 + + + o The path and query components of the request resource URI. + + o The protocol parameters excluding the "oauth_signature". + + o Parameters included in the request entity-body if they comply with + the strict restrictions defined in Section 3.4.1.3. + + The signature base string does not cover the entire HTTP request. + Most notably, it does not include the entity-body in most requests, + nor does it include most HTTP entity-headers. It is important to + note that the server cannot verify the authenticity of the excluded + request components without using additional protections such as SSL/ + TLS or other methods. + +3.4.1.1. String Construction + + The signature base string is constructed by concatenating together, + in order, the following HTTP request elements: + + 1. The HTTP request method in uppercase. For example: "HEAD", + "GET", "POST", etc. If the request uses a custom HTTP method, it + MUST be encoded (Section 3.6). + + 2. An "&" character (ASCII code 38). + + 3. The base string URI from Section 3.4.1.2, after being encoded + (Section 3.6). + + 4. An "&" character (ASCII code 38). + + 5. The request parameters as normalized in Section 3.4.1.3.2, after + being encoded (Section 3.6). + + For example, the HTTP request: + + POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 + Host: example.com + Content-Type: application/x-www-form-urlencoded + Authorization: OAuth realm="Example", + oauth_consumer_key="9djdj82h48djs9d2", + oauth_token="kkk9d7dh3k39sjv7", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131201", + oauth_nonce="7d8f3e4a", + oauth_signature="bYT5CMsGcbgUdFHObYMEfcx6bsw%3D" + + c2&a3=2+q + + + + +Hammer-Lahav Informational [Page 19] + +RFC 5849 OAuth 1.0 April 2010 + + + is represented by the following signature base string (line breaks + are for display purposes only): + + POST&http%3A%2F%2Fexample.com%2Frequest&a2%3Dr%2520b%26a3%3D2%2520q + %26a3%3Da%26b5%3D%253D%25253D%26c%2540%3D%26c2%3D%26oauth_consumer_ + key%3D9djdj82h48djs9d2%26oauth_nonce%3D7d8f3e4a%26oauth_signature_m + ethod%3DHMAC-SHA1%26oauth_timestamp%3D137131201%26oauth_token%3Dkkk + 9d7dh3k39sjv7 + +3.4.1.2. Base String URI + + The scheme, authority, and path of the request resource URI [RFC3986] + are included by constructing an "http" or "https" URI representing + the request resource (without the query or fragment) as follows: + + 1. The scheme and host MUST be in lowercase. + + 2. The host and port values MUST match the content of the HTTP + request "Host" header field. + + 3. The port MUST be included if it is not the default port for the + scheme, and MUST be excluded if it is the default. Specifically, + the port MUST be excluded when making an HTTP request [RFC2616] + to port 80 or when making an HTTPS request [RFC2818] to port 443. + All other non-default port numbers MUST be included. + + For example, the HTTP request: + + GET /r%20v/X?id=123 HTTP/1.1 + Host: EXAMPLE.COM:80 + + is represented by the base string URI: "http://example.com/r%20v/X". + + In another example, the HTTPS request: + + GET /?q=1 HTTP/1.1 + Host: www.example.net:8080 + + is represented by the base string URI: + "https://www.example.net:8080/". + +3.4.1.3. Request Parameters + + In order to guarantee a consistent and reproducible representation of + the request parameters, the parameters are collected and decoded to + their original decoded form. They are then sorted and encoded in a + particular manner that is often different from their original + encoding scheme, and concatenated into a single string. + + + +Hammer-Lahav Informational [Page 20] + +RFC 5849 OAuth 1.0 April 2010 + + +3.4.1.3.1. Parameter Sources + + The parameters from the following sources are collected into a single + list of name/value pairs: + + o The query component of the HTTP request URI as defined by + [RFC3986], Section 3.4. The query component is parsed into a list + of name/value pairs by treating it as an + "application/x-www-form-urlencoded" string, separating the names + and values and decoding them as defined by + [W3C.REC-html40-19980424], Section 17.13.4. + + o The OAuth HTTP "Authorization" header field (Section 3.5.1) if + present. The header's content is parsed into a list of name/value + pairs excluding the "realm" parameter if present. The parameter + values are decoded as defined by Section 3.5.1. + + o The HTTP request entity-body, but only if all of the following + conditions are met: + + * The entity-body is single-part. + + * The entity-body follows the encoding requirements of the + "application/x-www-form-urlencoded" content-type as defined by + [W3C.REC-html40-19980424]. + + * The HTTP request entity-header includes the "Content-Type" + header field set to "application/x-www-form-urlencoded". + + The entity-body is parsed into a list of decoded name/value pairs + as described in [W3C.REC-html40-19980424], Section 17.13.4. + + The "oauth_signature" parameter MUST be excluded from the signature + base string if present. Parameters not explicitly included in the + request MUST be excluded from the signature base string (e.g., the + "oauth_version" parameter when omitted). + + + + + + + + + + + + + + + +Hammer-Lahav Informational [Page 21] + +RFC 5849 OAuth 1.0 April 2010 + + + For example, the HTTP request: + + POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b HTTP/1.1 + Host: example.com + Content-Type: application/x-www-form-urlencoded + Authorization: OAuth realm="Example", + oauth_consumer_key="9djdj82h48djs9d2", + oauth_token="kkk9d7dh3k39sjv7", + oauth_signature_method="HMAC-SHA1", + oauth_timestamp="137131201", + oauth_nonce="7d8f3e4a", + oauth_signature="djosJKDKJSD8743243%2Fjdk33klY%3D" + + c2&a3=2+q + + contains the following (fully decoded) parameters used in the + signature base sting: + + +------------------------+------------------+ + | Name | Value | + +------------------------+------------------+ + | b5 | =%3D | + | a3 | a | + | c@ | | + | a2 | r b | + | oauth_consumer_key | 9djdj82h48djs9d2 | + | oauth_token | kkk9d7dh3k39sjv7 | + | oauth_signature_method | HMAC-SHA1 | + | oauth_timestamp | 137131201 | + | oauth_nonce | 7d8f3e4a | + | c2 | | + | a3 | 2 q | + +------------------------+------------------+ + + Note that the value of "b5" is "=%3D" and not "==". Both "c@" and + "c2" have empty values. While the encoding rules specified in this + specification for the purpose of constructing the signature base + string exclude the use of a "+" character (ASCII code 43) to + represent an encoded space character (ASCII code 32), this practice + is widely used in "application/x-www-form-urlencoded" encoded values, + and MUST be properly decoded, as demonstrated by one of the "a3" + parameter instances (the "a3" parameter is used twice in this + request). + + + + + + + + +Hammer-Lahav Informational [Page 22] + +RFC 5849 OAuth 1.0 April 2010 + + +3.4.1.3.2. Parameters Normalization + + The parameters collected in Section 3.4.1.3 are normalized into a + single string as follows: + + 1. First, the name and value of each parameter are encoded + (Section 3.6). + + 2. The parameters are sorted by name, using ascending byte value + ordering. If two or more parameters share the same name, they + are sorted by their value. + + 3. The name of each parameter is concatenated to its corresponding + value using an "=" character (ASCII code 61) as a separator, even + if the value is empty. + + 4. The sorted name/value pairs are concatenated together into a + single string by using an "&" character (ASCII code 38) as + separator. + + For example, the list of parameters from the previous section would + be normalized as follows: + + Encoded: + + +------------------------+------------------+ + | Name | Value | + +------------------------+------------------+ + | b5 | %3D%253D | + | a3 | a | + | c%40 | | + | a2 | r%20b | + | oauth_consumer_key | 9djdj82h48djs9d2 | + | oauth_token | kkk9d7dh3k39sjv7 | + | oauth_signature_method | HMAC-SHA1 | + | oauth_timestamp | 137131201 | + | oauth_nonce | 7d8f3e4a | + | c2 | | + | a3 | 2%20q | + +------------------------+------------------+ + + + + + + + + + + + +Hammer-Lahav Informational [Page 23] + +RFC 5849 OAuth 1.0 April 2010 + + + Sorted: + + +------------------------+------------------+ + | Name | Value | + +------------------------+------------------+ + | a2 | r%20b | + | a3 | 2%20q | + | a3 | a | + | b5 | %3D%253D | + | c%40 | | + | c2 | | + | oauth_consumer_key | 9djdj82h48djs9d2 | + | oauth_nonce | 7d8f3e4a | + | oauth_signature_method | HMAC-SHA1 | + | oauth_timestamp | 137131201 | + | oauth_token | kkk9d7dh3k39sjv7 | + +------------------------+------------------+ + + Concatenated Pairs: + + +-------------------------------------+ + | Name=Value | + +-------------------------------------+ + | a2=r%20b | + | a3=2%20q | + | a3=a | + | b5=%3D%253D | + | c%40= | + | c2= | + | oauth_consumer_key=9djdj82h48djs9d2 | + | oauth_nonce=7d8f3e4a | + | oauth_signature_method=HMAC-SHA1 | + | oauth_timestamp=137131201 | + | oauth_token=kkk9d7dh3k39sjv7 | + +-------------------------------------+ + + and concatenated together into a single string (line breaks are for + display purposes only): + + a2=r%20b&a3=2%20q&a3=a&b5=%3D%253D&c%40=&c2=&oauth_consumer_key=9dj + dj82h48djs9d2&oauth_nonce=7d8f3e4a&oauth_signature_method=HMAC-SHA1 + &oauth_timestamp=137131201&oauth_token=kkk9d7dh3k39sjv7 + + + + + + + + + +Hammer-Lahav Informational [Page 24] + +RFC 5849 OAuth 1.0 April 2010 + + +3.4.2. HMAC-SHA1 + + The "HMAC-SHA1" signature method uses the HMAC-SHA1 signature + algorithm as defined in [RFC2104]: + + digest = HMAC-SHA1 (key, text) + + The HMAC-SHA1 function variables are used in following way: + + text is set to the value of the signature base string from + Section 3.4.1.1. + + key is set to the concatenated values of: + + 1. The client shared-secret, after being encoded + (Section 3.6). + + 2. An "&" character (ASCII code 38), which MUST be included + even when either secret is empty. + + 3. The token shared-secret, after being encoded + (Section 3.6). + + digest is used to set the value of the "oauth_signature" protocol + parameter, after the result octet string is base64-encoded + per [RFC2045], Section 6.8. + +3.4.3. RSA-SHA1 + + The "RSA-SHA1" signature method uses the RSASSA-PKCS1-v1_5 signature + algorithm as defined in [RFC3447], Section 8.2 (also known as + PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5. To + use this method, the client MUST have established client credentials + with the server that included its RSA public key (in a manner that is + beyond the scope of this specification). + + The signature base string is signed using the client's RSA private + key per [RFC3447], Section 8.2.1: + + S = RSASSA-PKCS1-V1_5-SIGN (K, M) + + Where: + + K is set to the client's RSA private key, + + M is set to the value of the signature base string from + Section 3.4.1.1, and + + + + +Hammer-Lahav Informational [Page 25] + +RFC 5849 OAuth 1.0 April 2010 + + + S is the result signature used to set the value of the + "oauth_signature" protocol parameter, after the result octet + string is base64-encoded per [RFC2045] section 6.8. + + The server verifies the signature per [RFC3447] section 8.2.2: + + RSASSA-PKCS1-V1_5-VERIFY ((n, e), M, S) + + Where: + + (n, e) is set to the client's RSA public key, + + M is set to the value of the signature base string from + Section 3.4.1.1, and + + S is set to the octet string value of the "oauth_signature" + protocol parameter received from the client. + +3.4.4. PLAINTEXT + + The "PLAINTEXT" method does not employ a signature algorithm. It + MUST be used with a transport-layer mechanism such as TLS or SSL (or + sent over a secure channel with equivalent protections). It does not + utilize the signature base string or the "oauth_timestamp" and + "oauth_nonce" parameters. + + The "oauth_signature" protocol parameter is set to the concatenated + value of: + + 1. The client shared-secret, after being encoded (Section 3.6). + + 2. An "&" character (ASCII code 38), which MUST be included even + when either secret is empty. + + 3. The token shared-secret, after being encoded (Section 3.6). + +3.5. Parameter Transmission + + When making an OAuth-authenticated request, protocol parameters as + well as any other parameter using the "oauth_" prefix SHALL be + included in the request using one and only one of the following + locations, listed in order of decreasing preference: + + 1. The HTTP "Authorization" header field as described in + Section 3.5.1. + + 2. The HTTP request entity-body as described in Section 3.5.2. + + + + +Hammer-Lahav Informational [Page 26] + +RFC 5849 OAuth 1.0 April 2010 + + + 3. The HTTP request URI query as described in Section 3.5.3. + + In addition to these three methods, future extensions MAY define + other methods for including protocol parameters in the request. + +3.5.1. Authorization Header + + Protocol parameters can be transmitted using the HTTP "Authorization" + header field as defined by [RFC2617] with the auth-scheme name set to + "OAuth" (case insensitive). + + For example: + + Authorization: OAuth realm="Example", + oauth_consumer_key="0685bd9184jfhq22", + oauth_token="ad180jjd733klru7", + oauth_signature_method="HMAC-SHA1", + oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D", + oauth_timestamp="137131200", + oauth_nonce="4572616e48616d6d65724c61686176", + oauth_version="1.0" + + Protocol parameters SHALL be included in the "Authorization" header + field as follows: + + 1. Parameter names and values are encoded per Parameter Encoding + (Section 3.6). + + 2. Each parameter's name is immediately followed by an "=" character + (ASCII code 61), a """ character (ASCII code 34), the parameter + value (MAY be empty), and another """ character (ASCII code 34). + + 3. Parameters are separated by a "," character (ASCII code 44) and + OPTIONAL linear whitespace per [RFC2617]. + + 4. The OPTIONAL "realm" parameter MAY be added and interpreted per + [RFC2617] section 1.2. + + Servers MAY indicate their support for the "OAuth" auth-scheme by + returning the HTTP "WWW-Authenticate" response header field upon + client requests for protected resources. As per [RFC2617], such a + response MAY include additional HTTP "WWW-Authenticate" header + fields: + + For example: + + WWW-Authenticate: OAuth realm="http://server.example.com/" + + + + +Hammer-Lahav Informational [Page 27] + +RFC 5849 OAuth 1.0 April 2010 + + + The realm parameter defines a protection realm per [RFC2617], Section + 1.2. + +3.5.2. Form-Encoded Body + + Protocol parameters can be transmitted in the HTTP request entity- + body, but only if the following REQUIRED conditions are met: + + o The entity-body is single-part. + + o The entity-body follows the encoding requirements of the + "application/x-www-form-urlencoded" content-type as defined by + [W3C.REC-html40-19980424]. + + o The HTTP request entity-header includes the "Content-Type" header + field set to "application/x-www-form-urlencoded". + + For example (line breaks are for display purposes only): + + oauth_consumer_key=0685bd9184jfhq22&oauth_token=ad180jjd733klr + u7&oauth_signature_method=HMAC-SHA1&oauth_signature=wOJIO9A2W5 + mFwDgiDvZbTSMK%2FPY%3D&oauth_timestamp=137131200&oauth_nonce=4 + 572616e48616d6d65724c61686176&oauth_version=1.0 + + The entity-body MAY include other request-specific parameters, in + which case, the protocol parameters SHOULD be appended following the + request-specific parameters, properly separated by an "&" character + (ASCII code 38). + +3.5.3. Request URI Query + + Protocol parameters can be transmitted by being added to the HTTP + request URI as a query parameter as defined by [RFC3986], Section 3. + + For example (line breaks are for display purposes only): + + GET /example/path?oauth_consumer_key=0685bd9184jfhq22& + oauth_token=ad180jjd733klru7&oauth_signature_method=HM + AC-SHA1&oauth_signature=wOJIO9A2W5mFwDgiDvZbTSMK%2FPY% + 3D&oauth_timestamp=137131200&oauth_nonce=4572616e48616 + d6d65724c61686176&oauth_version=1.0 HTTP/1.1 + + The request URI MAY include other request-specific query parameters, + in which case, the protocol parameters SHOULD be appended following + the request-specific parameters, properly separated by an "&" + character (ASCII code 38). + + + + + +Hammer-Lahav Informational [Page 28] + +RFC 5849 OAuth 1.0 April 2010 + + +3.6. Percent Encoding + + Existing percent-encoding methods do not guarantee a consistent + construction of the signature base string. The following percent- + encoding method is not defined to replace the existing encoding + methods defined by [RFC3986] and [W3C.REC-html40-19980424]. It is + used only in the construction of the signature base string and the + "Authorization" header field. + + This specification defines the following method for percent-encoding + strings: + + 1. Text values are first encoded as UTF-8 octets per [RFC3629] if + they are not already. This does not include binary values that + are not intended for human consumption. + + 2. The values are then escaped using the [RFC3986] percent-encoding + (%XX) mechanism as follows: + + * Characters in the unreserved character set as defined by + [RFC3986], Section 2.3 (ALPHA, DIGIT, "-", ".", "_", "~") MUST + NOT be encoded. + + * All other characters MUST be encoded. + + * The two hexadecimal characters used to represent encoded + characters MUST be uppercase. + + This method is different from the encoding scheme used by the + "application/x-www-form-urlencoded" content-type (for example, it + encodes space characters as "%20" and not using the "+" character). + It MAY be different from the percent-encoding functions provided by + web-development frameworks (e.g., encode different characters, use + lowercase hexadecimal characters). + +4. Security Considerations + + As stated in [RFC2617], the greatest sources of risks are usually + found not in the core protocol itself but in policies and procedures + surrounding its use. Implementers are strongly encouraged to assess + how this protocol addresses their security requirements. + +4.1. RSA-SHA1 Signature Method + + Authenticated requests made with "RSA-SHA1" signatures do not use the + token shared-secret, or any provisioned client shared-secret. This + means the request relies completely on the secrecy of the private key + used by the client to sign requests. + + + +Hammer-Lahav Informational [Page 29] + +RFC 5849 OAuth 1.0 April 2010 + + +4.2. Confidentiality of Requests + + While this protocol provides a mechanism for verifying the integrity + of requests, it provides no guarantee of request confidentiality. + Unless further precautions are taken, eavesdroppers will have full + access to request content. Servers should carefully consider the + kinds of data likely to be sent as part of such requests, and should + employ transport-layer security mechanisms to protect sensitive + resources. + +4.3. Spoofing by Counterfeit Servers + + This protocol makes no attempt to verify the authenticity of the + server. A hostile party could take advantage of this by intercepting + the client's requests and returning misleading or otherwise incorrect + responses. Service providers should consider such attacks when + developing services using this protocol, and should require + transport-layer security for any requests where the authenticity of + the server or of request responses is an issue. + +4.4. Proxying and Caching of Authenticated Content + + The HTTP Authorization scheme (Section 3.5.1) is optional. However, + [RFC2616] relies on the "Authorization" and "WWW-Authenticate" header + fields to distinguish authenticated content so that it can be + protected. Proxies and caches, in particular, may fail to adequately + protect requests not using these header fields. + + For example, private authenticated content may be stored in (and thus + retrievable from) publicly accessible caches. Servers not using the + HTTP "Authorization" header field should take care to use other + mechanisms, such as the "Cache-Control" header field, to ensure that + authenticated content is protected. + +4.5. Plaintext Storage of Credentials + + The client shared-secret and token shared-secret function the same + way passwords do in traditional authentication systems. In order to + compute the signatures used in methods other than "RSA-SHA1", the + server must have access to these secrets in plaintext form. This is + in contrast, for example, to modern operating systems, which store + only a one-way hash of user credentials. + + If an attacker were to gain access to these secrets -- or worse, to + the server's database of all such secrets -- he or she would be able + to perform any action on behalf of any resource owner. Accordingly, + it is critical that servers protect these secrets from unauthorized + access. + + + +Hammer-Lahav Informational [Page 30] + +RFC 5849 OAuth 1.0 April 2010 + + +4.6. Secrecy of the Client Credentials + + In many cases, the client application will be under the control of + potentially untrusted parties. For example, if the client is a + desktop application with freely available source code or an + executable binary, an attacker may be able to download a copy for + analysis. In such cases, attackers will be able to recover the + client credentials. + + Accordingly, servers should not use the client credentials alone to + verify the identity of the client. Where possible, other factors + such as IP address should be used as well. + +4.7. Phishing Attacks + + Wide deployment of this and similar protocols may cause resource + owners to become inured to the practice of being redirected to + websites where they are asked to enter their passwords. If resource + owners are not careful to verify the authenticity of these websites + before entering their credentials, it will be possible for attackers + to exploit this practice to steal resource owners' passwords. + + Servers should attempt to educate resource owners about the risks + phishing attacks pose, and should provide mechanisms that make it + easy for resource owners to confirm the authenticity of their sites. + Client developers should consider the security implications of how + they interact with a user-agent (e.g., separate window, embedded), + and the ability of the end-user to verify the authenticity of the + server website. + +4.8. Scoping of Access Requests + + By itself, this protocol does not provide any method for scoping the + access rights granted to a client. However, most applications do + require greater granularity of access rights. For example, servers + may wish to make it possible to grant access to some protected + resources but not others, or to grant only limited access (such as + read-only access) to those protected resources. + + When implementing this protocol, servers should consider the types of + access resource owners may wish to grant clients, and should provide + mechanisms to do so. Servers should also take care to ensure that + resource owners understand the access they are granting, as well as + any risks that may be involved. + + + + + + + +Hammer-Lahav Informational [Page 31] + +RFC 5849 OAuth 1.0 April 2010 + + +4.9. Entropy of Secrets + + Unless a transport-layer security protocol is used, eavesdroppers + will have full access to authenticated requests and signatures, and + will thus be able to mount offline brute-force attacks to recover the + credentials used. Servers should be careful to assign shared-secrets + that are long enough, and random enough, to resist such attacks for + at least the length of time that the shared-secrets are valid. + + For example, if shared-secrets are valid for two weeks, servers + should ensure that it is not possible to mount a brute force attack + that recovers the shared-secret in less than two weeks. Of course, + servers are urged to err on the side of caution, and use the longest + secrets reasonable. + + It is equally important that the pseudo-random number generator + (PRNG) used to generate these secrets be of sufficiently high + quality. Many PRNG implementations generate number sequences that + may appear to be random, but that nevertheless exhibit patterns or + other weaknesses that make cryptanalysis or brute force attacks + easier. Implementers should be careful to use cryptographically + secure PRNGs to avoid these problems. + +4.10. Denial-of-Service / Resource-Exhaustion Attacks + + This specification includes a number of features that may make + resource exhaustion attacks against servers possible. For example, + this protocol requires servers to track used nonces. If an attacker + is able to use many nonces quickly, the resources required to track + them may exhaust available capacity. And again, this protocol can + require servers to perform potentially expensive computations in + order to verify the signature on incoming requests. An attacker may + exploit this to perform a denial-of-service attack by sending a large + number of invalid requests to the server. + + Resource Exhaustion attacks are by no means specific to this + specification. However, implementers should be careful to consider + the additional avenues of attack that this protocol exposes, and + design their implementations accordingly. For example, entropy + starvation typically results in either a complete denial of service + while the system waits for new entropy or else in weak (easily + guessable) secrets. When implementing this protocol, servers should + consider which of these presents a more serious risk for their + application and design accordingly. + + + + + + + +Hammer-Lahav Informational [Page 32] + +RFC 5849 OAuth 1.0 April 2010 + + +4.11. SHA-1 Cryptographic Attacks + + SHA-1, the hash algorithm used in "HMAC-SHA1" and "RSA-SHA1" + signature methods, has been shown to have a number of cryptographic + weaknesses that significantly reduce its resistance to collision + attacks. While these weaknesses do not seem to affect the use of + SHA-1 with the Hash-based Message Authentication Code (HMAC) and + should not affect the "HMAC-SHA1" signature method, it may affect the + use of the "RSA-SHA1" signature method. NIST has announced that it + will phase out use of SHA-1 in digital signatures by 2010 + [NIST_SHA-1Comments]. + + Practically speaking, these weaknesses are difficult to exploit, and + by themselves do not pose a significant risk to users of this + protocol. They may, however, make more efficient attacks possible, + and servers should take this into account when considering whether + SHA-1 provides an adequate level of security for their applications. + +4.12. Signature Base String Limitations + + The signature base string has been designed to support the signature + methods defined in this specification. Those designing additional + signature methods, should evaluated the compatibility of the + signature base string with their security requirements. + + Since the signature base string does not cover the entire HTTP + request, such as most request entity-body, most entity-headers, and + the order in which parameters are sent, servers should employ + additional mechanisms to protect such elements. + +4.13. Cross-Site Request Forgery (CSRF) + + Cross-Site Request Forgery (CSRF) is a web-based attack whereby HTTP + requests are transmitted from a user that the website trusts or has + authenticated. CSRF attacks on authorization approvals can allow an + attacker to obtain authorization to protected resources without the + consent of the User. Servers SHOULD strongly consider best practices + in CSRF prevention at all the protocol authorization endpoints. + + CSRF attacks on OAuth callback URIs hosted by clients are also + possible. Clients should prevent CSRF attacks on OAuth callback URIs + by verifying that the resource owner at the client site intended to + complete the OAuth negotiation with the server. The methods for + preventing such CSRF attacks are beyond the scope of this + specification. + + + + + + +Hammer-Lahav Informational [Page 33] + +RFC 5849 OAuth 1.0 April 2010 + + +4.14. User Interface Redress + + Servers should protect the authorization process against user + interface (UI) redress attacks (also known as "clickjacking"). As of + the time of this writing, no complete defenses against UI redress are + available. Servers can mitigate the risk of UI redress attacks using + the following techniques: + + o JavaScript frame busting. + + o JavaScript frame busting, and requiring that browsers have + JavaScript enabled on the authorization page. + + o Browser-specific anti-framing techniques. + + o Requiring password reentry before issuing OAuth tokens. + +4.15. Automatic Processing of Repeat Authorizations + + Servers may wish to automatically process authorization requests + (Section 2.2) from clients that have been previously authorized by + the resource owner. When the resource owner is redirected to the + server to grant access, the server detects that the resource owner + has already granted access to that particular client. Instead of + prompting the resource owner for approval, the server automatically + redirects the resource owner back to the client. + + If the client credentials are compromised, automatic processing + creates additional security risks. An attacker can use the stolen + client credentials to redirect the resource owner to the server with + an authorization request. The server will then grant access to the + resource owner's data without the resource owner's explicit approval, + or even awareness of an attack. If no automatic approval is + implemented, an attacker must use social engineering to convince the + resource owner to approve access. + + Servers can mitigate the risks associated with automatic processing + by limiting the scope of token credentials obtained through automated + approvals. Tokens credentials obtained through explicit resource + owner consent can remain unaffected. Clients can mitigate the risks + associated with automatic processing by protecting their client + credentials. + + + + + + + + + +Hammer-Lahav Informational [Page 34] + +RFC 5849 OAuth 1.0 April 2010 + + +5. Acknowledgments + + This specification is directly based on the OAuth Core 1.0 Revision A + community specification, which in turn was modeled after existing + proprietary protocols and best practices that have been independently + implemented by various companies. + + The community specification was edited by Eran Hammer-Lahav and + authored by: Mark Atwood, Dirk Balfanz, Darren Bounds, Richard M. + Conlan, Blaine Cook, Leah Culver, Breno de Medeiros, Brian Eaton, + Kellan Elliott-McCrea, Larry Halff, Eran Hammer-Lahav, Ben Laurie, + Chris Messina, John Panzer, Sam Quigley, David Recordon, Eran + Sandler, Jonathan Sergent, Todd Sieling, Brian Slesinsky, and Andy + Smith. + + The editor would like to thank the following individuals for their + invaluable contribution to the publication of this edition of the + protocol: Lisa Dusseault, Justin Hart, Avshalom Houri, Chris Messina, + Mark Nottingham, Tim Polk, Peter Saint-Andre, Joseph Smarr, and Paul + Walker. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Hammer-Lahav Informational [Page 35] + +RFC 5849 OAuth 1.0 April 2010 + + +Appendix A. Differences from the Community Edition + + This specification includes the following changes made to the + original community document [OAuthCore1.0_RevisionA] in order to + correct mistakes and omissions identified since the document was + originally published at <http://oauth.net>. + + o Changed using TLS/SSL when sending or requesting plain text + credentials from SHOULD to MUST. This change affects any use of + the "PLAINTEXT" signature method, as well as requesting temporary + credentials (Section 2.1) and obtaining token credentials + (Section 2.3). + + o Adjusted nonce language to indicate it is unique per token/ + timestamp/client combination. + + o Removed the requirement for timestamps to be equal to or greater + than the timestamp used in the previous request. + + o Changed the nonce and timestamp parameters to OPTIONAL when using + the "PLAINTEXT" signature method. + + o Extended signature base string coverage that includes + "application/x-www-form-urlencoded" entity-body parameters when + the HTTP method used is other than "POST" and URI query parameters + when the HTTP method used is other than "GET". + + o Incorporated corrections to the instructions in each signature + method to encode the signature value before inserting it into the + "oauth_signature" parameter, removing errors that would have + caused double-encoded values. + + o Allowed omitting the "oauth_token" parameter when empty. + + o Permitted sending requests for temporary credentials with an empty + "oauth_token" parameter. + + o Removed the restrictions from defining additional "oauth_" + parameters. + + + + + + + + + + + + +Hammer-Lahav Informational [Page 36] + +RFC 5849 OAuth 1.0 April 2010 + + +6. References + +6.1. Normative References + + [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail + Extensions (MIME) Part One: Format of Internet Message + Bodies", RFC 2045, November 1996. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, + February 1997. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., + Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext + Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. + + [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., + Leach, P., Luotonen, A., and L. Stewart, "HTTP + Authentication: Basic and Digest Access Authentication", + RFC 2617, June 1999. + + [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. + + [RFC3447] Jonsson, J. and B. Kaliski, "Public-Key Cryptography + Standards (PKCS) #1: RSA Cryptography Specifications + Version 2.1", RFC 3447, February 2003. + + [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO + 10646", STD 63, RFC 3629, November 2003. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, January 2005. + + [W3C.REC-html40-19980424] + Hors, A., Raggett, D., and I. Jacobs, "HTML 4.0 + Specification", World Wide Web Consortium + Recommendation REC-html40-19980424, April 1998, + <http://www.w3.org/TR/1998/REC-html40-19980424>. + + + + + + + + + +Hammer-Lahav Informational [Page 37] + +RFC 5849 OAuth 1.0 April 2010 + + +6.2. Informative References + + [NIST_SHA-1Comments] + Burr, W., "NIST Comments on Cryptanalytic Attacks on + SHA-1", + <http://csrc.nist.gov/groups/ST/hash/statement.html>. + + [OAuthCore1.0_RevisionA] + OAuth Community, "OAuth Core 1.0 Revision A", + <http://oauth.net/core/1.0a>. + +Author's Address + + Eran Hammer-Lahav (editor) + + EMail: eran@hueniverse.com + URI: http://hueniverse.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Hammer-Lahav Informational [Page 38] + |