OAuth 1 Workflow

You will be forced to go through a few steps when you are using OAuth. Below is anexample of the most common OAuth workflow using HMAC-SHA1 signed requests wherethe signature is supplied in the Authorization header.

The example assumes an interactive prompt which is good for demonstration but inpractice you will likely be using a web application (which makes authorizing muchless awkward since you can simply redirect).

The guide will show two ways of carrying out the OAuth1 workflow. One using theauthentication helper OAuth1 and the alternative using OAuth1Session. The latteris usually more convenient and requires less code.

Workflow example showing use of both OAuth1 and OAuth1Session

  1. Manual client signup with the OAuth provider (i.e. Google, Twitter) to geta set of client credentials. Usually a client key and secret. Client might sometimesbe referred to as consumer. For example:

>>># Using OAuth1Session>>>fromrequests_oauthlibimportOAuth1Session>>># Using OAuth1 auth helper>>>importrequests>>>fromrequests_oauthlibimportOAuth1>>>client_key='...'>>>client_secret='...'

  1. Obtain a request token which will identify you (the client) in the next step.At this stage you will only need your client key and secret.

>>>request_token_url='https://api.twitter.com/oauth/request_token'>>># Using OAuth1Session>>>oauth=OAuth1Session(client_key,client_secret=client_secret)>>>fetch_response=oauth.fetch_request_token(request_token_url){    "oauth_token": "Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik",    "oauth_token_secret": "Kd75W4OQfb2oJTV0vzGzeXftVAwgMnEK9MumzYcM"}>>>resource_owner_key=fetch_response.get('oauth_token')>>>resource_owner_secret=fetch_response.get('oauth_token_secret')>>># Using OAuth1 auth helper>>>oauth=OAuth1(client_key,client_secret=client_secret)>>>r=requests.post(url=request_token_url,auth=oauth)>>>r.content"oauth_token=Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik&oauth_token_secret=Kd75W4OQfb2oJTV0vzGzeXftVAwgMnEK9MumzYcM">>>fromurlparseimportparse_qs>>>credentials=parse_qs(r.content)>>>resource_owner_key=credentials.get('oauth_token')[0]>>>resource_owner_secret=credentials.get('oauth_token_secret')[0]

  1. Obtain authorization from the user (resource owner) to access their protectedresources (images, tweets, etc.). This is commonly done by redirecting theuser to a specific url to which you add the request token as a query parameter.Note that not all services will give you a verifier even if they should. Alsothe oauth_token given here will be the same as the one in the previous step.

>>>base_authorization_url='https://api.twitter.com/oauth/authorize'>>># Using OAuth1Session>>>authorization_url=oauth.authorization_url(base_authorization_url)>>>print('Please go here and authorize,',authorization_url)>>>redirect_response=input('Paste the full redirect URL here: ')>>>oauth_response=oauth.parse_authorization_response(redirect_response){    "oauth_token": "Z6eEdO8MOmk394WozF5oKyuAv855l4Mlqo7hhlSLik",    "oauth_verifier": "sdflk3450FASDLJasd2349dfs"}>>>verifier=oauth_response.get('oauth_verifier')>>># Using OAuth1 auth helper>>>authorize_url=base_authorization_url+'?oauth_token='>>>authorize_url=authorize_url+resource_owner_key>>>print('Please go here and authorize,',authorize_url)>>>verifier=input('Please input the verifier')

  1. Obtain an access token from the OAuth provider. Save this token as it can bere-used later. In this step we will re-use most of the credentials obtaineduptil this point.

>>>access_token_url='https://api.twitter.com/oauth/access_token'>>># Using OAuth1Session>>>oauth=OAuth1Session(client_key,                          client_secret=client_secret,                          resource_owner_key=resource_owner_key,                          resource_owner_secret=resource_owner_secret,                          verifier=verifier)>>>oauth_tokens=oauth.fetch_access_token(access_token_url){    "oauth_token": "6253282-eWudHldSbIaelX7swmsiHImEL4KinwaGloHANdrY",    "oauth_token_secret": "2EEfA6BG3ly3sR3RjE0IBSnlQu4ZrUzPiYKmrkVU"}>>>resource_owner_key=oauth_tokens.get('oauth_token')>>>resource_owner_secret=oauth_tokens.get('oauth_token_secret')>>># Using OAuth1 auth helper>>>oauth=OAuth1(client_key,                   client_secret=client_secret,                   resource_owner_key=resource_owner_key,                   resource_owner_secret=resource_owner_secret,                   verifier=verifier)>>>r=requests.post(url=access_token_url,auth=oauth)>>>r.content"oauth_token=6253282-eWudHldSbIaelX7swmsiHImEL4KinwaGloHANdrY&oauth_token_secret=2EEfA6BG3ly3sR3RjE0IBSnlQu4ZrUzPiYKmrkVU">>>credentials=parse_qs(r.content)>>>resource_owner_key=credentials.get('oauth_token')[0]>>>resource_owner_secret=credentials.get('oauth_token_secret')[0]

  1. Access protected resources. OAuth1 access tokens typically do not expireand may be re-used until revoked by the user or yourself.

>>>protected_url='https://api.twitter.com/1/account/settings.json'>>># Using OAuth1Session>>>oauth=OAuth1Session(client_key,                          client_secret=client_secret,                          resource_owner_key=resource_owner_key,                          resource_owner_secret=resource_owner_secret)>>>r=oauth.get(protected_url)>>># Using OAuth1 auth helper>>>oauth=OAuth1(client_key,                   client_secret=client_secret,                   resource_owner_key=resource_owner_key,                   resource_owner_secret=resource_owner_secret)>>>r=requests.get(url=protected_url,auth=oauth)

Signature placement - header, query or body?

OAuth takes many forms, so let’s take a look at a few different forms:

importrequestsfromrequests_oauthlibimportOAuth1url='https://api.twitter.com/1/account/settings.json'client_key='...'client_secret='...'resource_owner_key='...'resource_owner_secret='...'

Header signing (recommended):

headeroauth=OAuth1(client_key,client_secret,resource_owner_key,resource_owner_secret,signature_type='auth_header')r=requests.get(url,auth=headeroauth)

Query signing:

queryoauth=OAuth1(client_key,client_secret,resource_owner_key,resource_owner_secret,signature_type='query')r=requests.get(url,auth=queryoauth)

Body signing:

bodyoauth=OAuth1(client_key,client_secret,resource_owner_key,resource_owner_secret,signature_type='body')r=requests.post(url,auth=bodyoauth)

Signature types - HMAC (most common), RSA, Plaintext

OAuth1 defaults to using HMAC and examples can be found in the previoussections.

Plaintext work on the same credentials as HMAC and the only change you willneed to make when using it is to add signature_type=’PLAINTEXT’to the OAuth1 constructor:

headeroauth=OAuth1(client_key,client_secret,resource_owner_key,resource_owner_secret,signature_method='PLAINTEXT')

RSA is different in that it does not use client_secret norresource_owner_secret. Instead it uses public and private keys. The public keyis provided to the OAuth provider during client registration. The private keyis used to sign requests. The previous section can be summarized as:

key=open("your_rsa_key.pem").read()queryoauth=OAuth1(client_key,signature_method=SIGNATURE_RSA,rsa_key=key,signature_type='query')headeroauth=OAuth1(client_key,signature_method=SIGNATURE_RSA,rsa_key=key,signature_type='auth_header')bodyoauth=OAuth1(client_key,signature_method=SIGNATURE_RSA,rsa_key=key,signature_type='body')