14. Step 2. Tricks victim into visiting authorization URI specially crafted for
nefarious purposes (attacker specifies the callback).
15. Step 3. User enters their credentials at the authorization page,
unwittingly authorizing the attacker's request token. User is redirected to
a URI determined by the attacker.
16. Step 4. Attacker completes the OAuth workflow. Has access to the victim's
protected resources.
25. Redirect user to Authorization URI
Twitter:
http://twitter.com/oauth/authorize?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
FreshBooks:
https://subdomain.freshbooks.com/oauth/oauth_authorize.php?oauth_token=UVENq7xUrdkE5dVu8AdrG1oETE3EMb5LVaUXZp0Nsy8
31. Example: Twitter
Request:
POST /1/statuses/update.json HTTP/1.1
...
Content-Type: application/x-www-form-urlencoded
Authorization: OAuth realm="", oauth_nonce="46002159", oauth_timestamp="1275366995",
oauth_consumer_key="TgF80q21yvq4kPRWiYJOXQ", oauth_signature_method="HMAC-SHA1", oauth_version="1.0",
oauth_token="149686823-pX5PrnZ0bus8r7bzaA1tGlp3qQgud96eueauIioo",
oauth_signature="bfvQGgVVL8EQ15KiGKN8WQHVhts%3D"
status=Ohai.
Response:
{ a lot of JSON }
32. Example: FreshBooks
Request:
POST /api/2.1/xml-in HTTP/1.1
...
Content-Type: application/xml
Authorization: OAuth realm="", oauth_nonce="56679057", oauth_timestamp="1275365024",
oauth_signature_method="PLAINTEXT", oauth_consumer_key="oauthprovider",
oauth_verifier="uuiDvKeqk3NX4P4wYvtYiPQdt9J5dB4sr", oauth_version="1.0",
oauth_token="YzjQJppbHMuSL2bwSCvysH6vDtmV6R7r2",
oauth_signature="mVASHE5wd8MiyJYYyRhpCpLVtfAyjm7qS%26gFYjmhWZawhRdXzE4hpLeFtQR4B72znAh"
<request method="invoice.list" />
Response:
<response status="ok">
A bunch of XML
</response>
33. Common Questions
What about Desktop & Mobile applications?
What the heck is OAuth WRAP?
What does OAuth have to do with OpenID?
What is up with OAuth 2?