Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is OOB in OAuth?

Tags:

oauth

I'm only starting to explore what OAuth and I have barely any clue of the related terms. In a PHP code snippet, I saw :

// Callback can either be 'oob' or a url

$callback='oob';

I'd like to know what oob is?

like image 355
Programming Noob Avatar asked Nov 23 '12 02:11

Programming Noob


People also ask

What is Oob code?

OOB stands for Out-Of-Band. Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password.

What are OAuth grant types?

The most common OAuth grant types are listed below. Authorization Code. PKCE. Client Credentials. Device Code.

What are OAuth apps?

OAuth is a delegated authorization framework for REST/APIs. It enables apps to obtain limited access (scopes) to a user's data without giving away a user's password. It decouples authentication from authorization and supports multiple use cases addressing different device capabilities.


2 Answers

oob usually stands for "out of band". I would assume that this is to support OAuth responses that come through an unspecified method.

like image 156
D.Shawley Avatar answered Oct 03 '22 22:10

D.Shawley


OOB ("out of band") is an alternative to the traditional 3-step process of an OAuth flow (known as 3-Legged-OAuth). The user is not redirected after granting access to a consumer, instead, a code is shown to the user which he needs to manually input in the Consumer App. The difference is outlined in the step 2b below.

An OAuth1a flow:

Step 1: Get a short lived request_token which can be used to access the User Authorization URL.

Step 2: Use the request_token to access and show the User Authorization URL to the user. The user will see a screen where he can accept or decline access; the tipical "Do you want to give App ABC access on your behalf?".

Step 2a (callback url): If a callback_url has been provided, the user will be redirected to that callback URL. The URL will include the parameter oauth_verifier which contains a code, needed for step 3.

Step 2b (callback is oob): If the callback_url is set to oob, the user will not be redirected. Instead, the oauth_verifier code is shown to the user. This must be implemented by the Provider. The user can use this code in the Consumer App, usually a mobile app or any other non-browser based App, to continue to step 3.

Step 3: The oauth_verifier code (and Request Token) is used to get a long-lived access_token. The Consumer can now make calls to the (REST)-API of the Provider using this token in his OAuth calls (the request still needs other OAuth parameters and needs to be signed etc.).

Further info:

Pin based authorization with Twitter API

OAuth1a core specification - Request URLs

like image 42
LukeSolar Avatar answered Oct 03 '22 22:10

LukeSolar