1

I'm connecting to several OAuth-protected services, and trying to understand how two of my Oauth client libraries seem to operate differently.

One of the libraries is a general OAuth client that requires both an access token key/secret pair and a consumer key/secret pair in order to generate signed requests.

The other library is a Facebook specific OAuth client, and requires only an access token without the secret, and no consumer token or key at all for signing requests.

Is Facebook's implementation of OAuth so different that it only requires 1 of the 4 elements needed by other OAuth implementations for signing requests?

Yarin
  • 173,523
  • 149
  • 402
  • 512

1 Answers1

2

The general library you mention is for use with the OAuth 1.0a specification. While Facebook's Graph API is based on OAuth 2.

The two "versions" of OAuth are quite different from one another. The main difference is just as you mention, that in OAuth 2 there is no concept of request level cryptography (no signature horrors). The specification instead relies on absolutely requiring that API endpoints use secure transport layer (HTTPS/SSL).

Since OAuth 2 has only recently matured into a more stable draft you will find that service providers have based their implementations on different drafts, while OAuth 1.0 is more stable in terms of server implementations.

This question should give you good insight: How is OAuth 2 different from OAuth 1?.

Community
  • 1
  • 1
Jon Nylander
  • 8,743
  • 5
  • 34
  • 45
  • Jon- thanks, had no idea I was dealing with 2 very different versions. Now I can start untying the knot in my head.. – Yarin May 04 '12 at 19:12