What is OOB in OAuth?

Question

I'm only starting to explore what OAuth and I have barely any clue of the related terms. In a PHP code snippet, I saw :

// Callback can either be 'oob' or a url

$callback='oob';

I'd like to know what oob is?

Answer 1

oob usually stands for "out of band". I would assume that this is to support OAuth responses that come through an unspecified method.

Answer 2

OOB ("out of band") is an alternative to the traditional 3-step process of an OAuth flow (known as 3-Legged-OAuth). The user is not redirected after granting access to a consumer, instead, a code is shown to the user which he needs to manually input in the Consumer App. The difference is outlined in the step 2b below.

An OAuth1a flow:

Step 1: Get a short lived request_token which can be used to access the User Authorization URL.

Step 2: Use the request_token to access and show the User Authorization URL to the user. The user will see a screen where he can accept or decline access; the tipical "Do you want to give App ABC access on your behalf?".

Step 2a (callback url): If a callback_url has been provided, the user will be redirected to that callback URL. The URL will include the parameter oauth_verifier which contains a code, needed for step 3.

Step 2b (callback is oob): If the callback_url is set to oob, the user will not be redirected. Instead, the oauth_verifier code is shown to the user. This must be implemented by the Provider. The user can use this code in the Consumer App, usually a mobile app or any other non-browser based App, to continue to step 3.

Step 3: The oauth_verifier code (and Request Token) is used to get a long-lived access_token. The Consumer can now make calls to the (REST)-API of the Provider using this token in his OAuth calls (the request still needs other OAuth parameters and needs to be signed etc.).

Further info:

Pin based authorization with Twitter API

OAuth1a core specification - Request URLs