OAuth 2.0 Authorization Header

Asked 17/6, 2012 at 4:20 Answered 25/11, 2022 at 9:57

104

I want to develop a SDK that encapsules the OAuth 2.0 functions. I have checked the differences between OAuth 1.0 & 2.0, and I have some confusion on Authorization Header (1.0 and 2.0), OAuth 1.0 protocol parameters can be transmitted using the HTTP "Authorization" header, but I can't find this described in current OAuth 2.0 draft.

Does OAuth 2.0 supports authorization headers?

In OAuth 1.0 your header would look like:

Authorization: OAuth realm="Example",
    oauth_consumer_key="0685bd9184jfhq22",
    oauth_token="ad180jjd733klru7",
    oauth_signature_method="HMAC-SHA1",
    oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
    oauth_timestamp="137131200",
    oauth_nonce="4572616e48616d6d65724c61686176",
    oauth_version="1.0"

Gleason answered 17/6, 2012 at 4:20 Comment(2)

Not answering your question but there are already a number of OpenId and OAuth libraries out there, are you sure you want to re-invent the wheel? – Meteoroid 17/6, 2012 at 4:31

Hi Kane, I am not developing SDK for OAuth, I just need some OAuth function in my SDK, so I don't want to introduce third part library. – Gleason 17/6, 2012 at 9:42

228

For those looking for an example of how to pass the OAuth2 authorization (access token) in the header (as opposed to using a request or body parameter), here is how it's done:

Authorization: Bearer 0b79bab50daca910b000d4f1a2b675d604257e42

Standpipe answered 11/9, 2013 at 23:18 Comment(3)

For anyone who came across this thread trying to use the Authorization Header with cURL, Here is the command: curl -H "Authorization: Bearer $ACCESS_TOKEN" URI – Oldcastle 17/6, 2014 at 15:32

Quick question, as I keep seeing answers like this one, but without the clarification: if I'm doing this in code (via HTTPRequest API), I add headers to my request with a header-name and an associated data field. In this answer, which part is the name of the header, and which the data? That is, is the header Authorization: Bearer with 0b...42 as data, or is the header Authorization: with Bearer 0b...42 as the data, or what? Thanks! (Btw, I'm Oauth2, if it matters.) – Lullaby 24/4, 2015 at 0:37

Authorization is the header name, the colon separates the name from the value in all headers as per section 4.2 of RFC2616. – Staffordshire 7/5, 2015 at 18:38

You can still use the Authorization header with OAuth 2.0. There is a Bearer type specified in the Authorization header for use with OAuth bearer tokens (meaning the client app simply has to present ("bear") the token). The value of the header is the access token the client received from the Authorization Server.

It's documented in this spec: https://www.rfc-editor.org/rfc/rfc6750#section-2.1

E.g.:

   GET /resource HTTP/1.1
   Host: server.example.com
   Authorization: Bearer mF_9.B5f-4.1JqM

Where mF_9.B5f-4.1JqM is your OAuth access token.

Jejunum answered 17/6, 2012 at 22:31 Comment(2)

OAuth 2.0 documents two access token types as examples: Bearer and MAC (tools.ietf.org/html/rfc6749#section-7.1) – Farther 1/11, 2018 at 10:0

Unfortunately MAC was never fully standardized (see expired draft spec: tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05) and isn't used in practice. – Jejunum 1/11, 2018 at 16:51

I just want to specify that you can use "Property Expansion" in the header value as well to Automation your proccess.

( Actually i use a property transfer too, to transfer token into my TestSuite property and then as you can see return it with "${#TestSuite#token}" )

example:

Sources :

Best regards community !

Vulnerable answered 25/11, 2022 at 9:57 Comment(0)

Recommended topics

Hot tags