Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth 2.0 Authorization Header

Tags:

http

oauth-2.0

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 & 2.0, and I have some confusion on Authorization Header (1.0 and 2.0), OAuth 1.0 protocol parameters can be transmitted using the HTTP "Authorization" header, but I can't find this described in current OAuth 2.0 draft.

Does OAuth 2.0 supports authorization headers?

In OAuth 1.0 your header would look like:

Authorization: OAuth realm="Example",     oauth_consumer_key="0685bd9184jfhq22",     oauth_token="ad180jjd733klru7",     oauth_signature_method="HMAC-SHA1",     oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",     oauth_timestamp="137131200",     oauth_nonce="4572616e48616d6d65724c61686176",     oauth_version="1.0" 
like image 955
JKhuang Avatar asked Jun 17 '12 04:06

JKhuang


People also ask

What is OAuth header?

OAuth 1.0a uses the Authorization header as a way to authenticate the client to the OAuth Provider itself. In OAuth 2.0, this header isn't used for authentication with the OAuth Provider. Instead, OAuth 2.0 uses query parameters in the payload.

What is Authorization header?

The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource. The Authorization header is usually, but not always, sent after the user agent first attempts to request a protected resource without credentials.

How do I pass Authorization bearer in header?

To send a request with the Bearer Token authorization header, you need to make an HTTP request and provide your Bearer Token with the "Authorization: Bearer {token}" header. A Bearer Token is a cryptic string typically generated by the server in response to a login request.

Is OAuth 2.0 authentication or Authorization?

OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As such, it is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user's data.


2 Answers

For those looking for an example of how to pass the OAuth2 authorization (access token) in the header (as opposed to using a request or body parameter), here is how it's done:

Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42 
like image 54
Jonathan Avatar answered Sep 18 '22 23:09

Jonathan


You can still use the Authorization header with OAuth 2.0. There is a Bearer type specified in the Authorization header for use with OAuth bearer tokens (meaning the client app simply has to present ("bear") the token). The value of the header is the access token the client received from the Authorization Server.

It's documented in this spec: https://www.rfc-editor.org/rfc/rfc6750#section-2.1

E.g.:

   GET /resource HTTP/1.1    Host: server.example.com    Authorization: Bearer mF_9.B5f-4.1JqM 

Where mF_9.B5f-4.1JqM is your OAuth access token.

like image 41
Scott T. Avatar answered Sep 18 '22 23:09

Scott T.