What is the Access Token vs. Access Token Secret and Consumer Key vs. Consumer Secret

oauth

I have been using Oauth for a while but have never been completely sure of the difference between these four terms (and the functionality of each). I frequently see (for instance in the Twitter Public API)

Consumer key:

Consumer secret:

Access token:

and

Access token secret:

field but I have never known exactly what they do. I know that Oauth has the ability to authorize apps (let them act on a user's behalf) but I do not understand the relationship between these four authorization terms and would love an explanation.

Basically, I am not sure how the access token or token secret are generated, where they are stored, and what relation they have to each other or to the consumer key and secret.

Thank you

This might help stackoverflow.com/questions/2740559/…

Community

Consumer key is the API key that a service provider (Twitter, Facebook, etc.) issues to a consumer (a service that wants to access a user's resources on the service provider). This key is what identifies the consumer.

Consumer secret is the consumer "password" that is used, along with the consumer key, to request access (i.e. authorization) to a user's resources from a service provider.

Access token is what is issued to the consumer by the service provider once the consumer completes authorization. This token defines the access privileges of the consumer over a particular user's resources. Each time the consumer wants to access the user's data from that service provider, the consumer includes the access token in the API request to the service provider.

Hope that clears it up. I would recommend skimming through the beginning of the oAuth 2.0 spec. It's really informative.

What i dont get is that in my twitter app, all of these are already provided (meaning that i did not have to authenticate with a server to get an access token because i had that as soon as i signed up an app with twitter. I thought you said that i needed to be authenticated before i get an access token?

Twitter lets you generate an access token for yourself (specifically your account) so that you can test with it. However, for every other user using your app, an access token (for that user) can only be acquired once the user is authenticated.

If you were to try and get information from the users Twitter account, do you have to have them log in every time/authenticate? What information (token/keys) can you save for future request? -- Can you use the same Access Token/ Access Secret?

@HenSapir, I disagree regarding your description of "access token secret". I don't know what it means, it is not a standard term, but I do know that it is NOT the case that "the access token secret is sent with the access token". It is not. Only he access token is sent. I suspect that someone wrote "the access token secret" when they meant "the access token, which is a secret"

Note that the term "consumer" is old. OAuth specs use the term "client". This is noted in section 1.1 of tools.ietf.org/html/rfc5849

jyfar

There are two type of authentication, the first one is called authentication which uses the consumer key and consumer secret to identify this client and be sure that it is a valid account, the second one called authorization, it allows the resources server to identify which kind of actions you have the permission to do with data or what we call a resource, this operation uses access token and access token secret.

For further details, take a look at this useful slides from google:

https://docs.google.com/presentation/d/1KqevSqe6ygWVj4U-wlarKU7-SVR79x-vjpR4gEc4A9Q/edit?pli=1#slide=id.g1697c74a_1_14

What is the Access Token vs. Access Token Secret and Consumer Key vs. Consumer Secret

Follow WeChat

Want to stay one step ahead of the latest teleworks?

相似问题

Platform

Support

Contact US