The document describes how an OAuth 2.0 protected service can call an OAuth 1.0a protected Twitter API. It involves the service obtaining an access token from Twitter by redirecting the user through Twitter's OAuth 1.0a authorization process. The service then uses the access token to call the Twitter API on behalf of the user. When a third-party OAuth 2.0 client calls the service, it provides an access token issued by the service's OAuth 2.0 authorization server to access the user's Twitter data through the intermediate service.
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Calling an OAuth 1.0a API from an OAuth 2.0 API
1. Calling an OAuth 1.0a Service from
an OAuth 2.0-protected Service
By Travis Spencer
email@travisspencer.com
2. Basic Rundown
• You want to call the Twitter API from your own API
• The Twitter service is an OAuth 1.0a Resource Server (RS)
• Twitter has an OAuth 1.0a Authorization Server (AS)
• The Twitter service naturally only trusts it's own AS
• Your service is an OAuth 2 RS and an OAuth 1.0a Twitter client
• You have an OAuth 2 AS
• Your service naturally only trusts your AS
• The Web app that calls your service is an OAuth 2.0 client and must
submit Access Tokens (ATs) emitted by your AS (not Twitter's) when
calling your service
• The Resource Owner (RO) is a Twitter user and will authorize your
service to call the Twitter API to modify their data
• The RO authenticates to your AS using Twitter's OAuth 1.0a AS
• Your AS asks the RO to authorize a third-party client of your service
3. User indicates that they would like to grant some Web site
access to the resources that your service provides.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
4. User is redirected to your OAuth 2.0 AS.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
5. Your AS gets a Request Token (RT) from Twitter’s AS by
making an authenticated call using your Twitter client key.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
6. Your AS redirects the user to Twitter w/ the RT and a digital
signature.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
7. The user authenticates to Twitter if they don’t have a
session already.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
8. The user grants your API access to Twitter’s API.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
9. Twitter redirects the user to your AS’s callback URL w/ the
RT from before.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
10. Your AS exchanges the RT for an Access Token (AT) and
stores/associates this with the user.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
11. Your AS redirects the user with an Access Code (AC) to the
callback URL of the third-party consumer of your API.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
12. The client exchanges the AC for a new AT specific to your
API by authenticating w/ the client key you gave them.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
13. The client calls your API with an AT from your AS.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
14. Your API looks up the Twitter AT by submitting the one
presented to your API.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
15. Your API calls the Twitter API using the previously granted
access.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)
16. The Twitter data is used and your API returns the results.
Twitter’s
Twitter User
OAuth 1.0a
(RO)
AS
Twitter API
Your OAuth
(OAuth 1.0a
2.0 AS
RS)
Third-party Your API
Web site (OAuth 2.0
(OAuth 2.0 RS/OAuth
Client) 1.0a Client)