I'm only starting to explore what OAuth and I have barely any clue of the related terms. In a PHP code snippet, I saw :
// Callback can either be 'oob' or a url
$callback='oob';
I'd like to know what oob is?
OOB stands for Out-Of-Band. Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel along with the typical ID and password.
The most common OAuth grant types are listed below. Authorization Code. PKCE. Client Credentials. Device Code.
OAuth is a delegated authorization framework for REST/APIs. It enables apps to obtain limited access (scopes) to a user's data without giving away a user's password. It decouples authentication from authorization and supports multiple use cases addressing different device capabilities.
oob usually stands for "out of band". I would assume that this is to support OAuth responses that come through an unspecified method.
OOB ("out of band") is an alternative to the traditional 3-step process of an OAuth flow (known as 3-Legged-OAuth). The user is not redirected after granting access to a consumer, instead, a code is shown to the user which he needs to manually input in the Consumer App. The difference is outlined in the step 2b below.
An OAuth1a flow:
Step 1: Get a short lived request_token
which can be used to access the User Authorization URL.
Step 2: Use the request_token
to access and show the User Authorization URL to the user. The user will see a screen where he can accept or decline access; the tipical "Do you want to give App ABC access on your behalf?".
Step 2a (callback url): If a callback_url
has been provided, the user will be redirected to that callback URL. The URL will include the parameter oauth_verifier
which contains a code, needed for step 3.
Step 2b (callback is oob
): If the callback_url
is set to oob
, the user will not be redirected. Instead, the oauth_verifier
code is shown to the user. This must be implemented by the Provider. The user can use this code in the Consumer App, usually a mobile app or any other non-browser based App, to continue to step 3.
Step 3: The oauth_verifier
code (and Request Token) is used to get a long-lived access_token
. The Consumer can now make calls to the (REST)-API of the Provider using this token in his OAuth calls (the request still needs other OAuth parameters and needs to be signed etc.).
Further info:
Pin based authorization with Twitter API
OAuth1a core specification - Request URLs
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With