%META:TOPICPARENT{name="OpenLinkVirtuoso"}%
---++ What is OAuth?

The OAuth protocol enables websites or applications (<i>Consumers</i>) to 
access Protected Resources from Web services (<i>Service Providers</i>) via 
an API, without requiring Users to disclose their Service Provider credentials 
to those Consumers. More generally, OAuth creates a freely-implementable and
generic methodology for API-oriented authentication.

For <i>Consumer</i> developers, OAuth is a method to publish and interact with 
protected data.

For <i>Service Provider</i> developers, OAuth gives users access to their data 
while protecting their account credentials.

One use case would be allowing a printing service, printer.example.com (the 
Consumer), to access private photos stored on photos.example.net (the Service 
Provider), without requiring Users to reveal their photos.example.net 
credentials to printer.example.com.

---+++ Why is it important?

OAuth allows the user to selectively grant access to their private resources 
housed on one site (called the <i>Service Provider</i>), to another site (called 
the <i>Consumer</i>). In other words, OAuth enables you to grant access to some 
of your information without sharing all of your identity.

OAuth does not require a specific user interface or interaction pattern, nor 
does it specify how Service Providers authenticate Users, making the protocol 
ideally suited for cases where authentication credentials are unavailable to 
the Consumer, such as with OpenID.

OAuth aims to unify the experience and implementation of delegated web service 
authentication with a single, community-driven protocol. OAuth builds on 
existing protocols and best practices that have been independently implemented 
by various websites. An open standard, supported by large and small providers 
alike, promotes a consistent and trusted experience for both application 
developers and the users of those applications.

---+++ How does it work?

What is publicly known as <i>"OAuth"</i> is really the <i>"OAuth Core 1.0"</i> 
specification.  The <i>"Core"</i> designation is used to stress that this is the 
skeleton upon which other extensions and protocols may be built. OAuth Core 1.0 
does NOT by itself provide many desired features such as automated discovery of 
endpoints, language support, support for XML-RPC and SOAP, standard definition 
of resource access, OpenID integration, a full range of signing algorithms, or 
any number of other great ideas posted to the OAuth group.

This was intentional and is viewed by the authors as a benefit. As the name 
implies, Core deals only with the most fundamental aspects of the protocol:

   * Establish a mechanism for exchanging a username and password for a token 
with defined rights 
   * Provide tools to protect these tokens

More details can be found [[http://oauth.net/documentation/getting-started][here]].


---++ What are OAuth Access Tokens?

Credentials bearing tokens enable a user to provide their credentials in tokenized form in cases 
where HTTP redirection to a browser plus human interaction is unavailable or unsuitable. For example, 
intermediary intelligent agents, mobile phones, or set-top devices.

---+++ How does it work?

---++++ Request Authentication
To request an Access Token in this model, the Consumer makes an HTTP 
request to the Service Provider's Access Token URL. The authentication 
request contains [nine] parameters contained in the HTTP Authorization 
header or as URL parameters. Parameter names and values must be 
"percent-encoded" to handle characters in different character sets. The 
request should be performed using TLS, and should use HTTP POST.

---++++ Receive Authentication
Before granting an access token, the Service Provider must ensure that the 
request signature has been successfully verified as per OAuth,
that a request with the supplied timestamp and nonce has never been 
received before, and that the supplied username and password match a
User's credentials. If successful, the Service Provider generates an 
Access Token and Token Secret using a 200 Ok response and returns them
in the HTTP response body.

---++++ Access Protected Resources
After successfully receiving the Access Token and Token Secret, the 
Consumer is able to access the Protected Resources on behalf of the User 
as per section 7 of the OAuth core specification. In other words, the Access 
Token obtained here is no different in capability to the Access Token
specified by OAuth. Once authenticated using the above process, the 
Consumer will sign all subsequent requests for the User's Protected
Resources using the returned Token Secret.


---++ Additional Information

---+++ General OAuth Information

   * [[http://www.hueniverse.com/hueniverse/2007/09/explaining-oaut.html][Explaining OAuth]]
   * [[http://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html][Visual OAuth Usage Example]]
   * [[http://www.hueniverse.com/hueniverse/2008/10/beginners-guide.html][OAuth Beginners Guide - Part 3]]
   * [[http://oauth.net/core/1.0][OAuth specification]]
   * [[http://oauth.net/documentation/getting-started][Getting Started with OAuth]]
   * [[http://xml.coverpages.org/draft-dehora-farrell-oauth-accesstoken-creds-00.txt][OAuth Access Tokens Using Credentials specification]]
   * [[http://xml.coverpages.org/draft-hammer-oauth-00.txt][OAuth: HTTP Authorization Delegation Protocol specification]]
   * [[http://groups.google.com/group/oauth][Google OAuth Group]]
   * [[http://step2.googlecode.com/svn/spec/openid_oauth_extension/drafts/0/openid_oauth_extension.html][OAuth & OpenID Combined]] - Protocol Extension

---+++ Virtuoso- and OpenLink-specific OAuth Information

   * [[VirtuosoOAuthServer][Virtuoso OAuth server]]
   * [[VirtAuthServerUI][Virtuoso Authentication Server UI]].
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtOAuthControllers][Using OAuth with ODS]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtuosoOdsUbiquity][ODS Ubiquity Commands]]
   * [[VirtOAuth][Virtuoso OAuth Implementation]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtuosoOdsControllers][ODS Controllers]]      
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtODSOAuthQA][Testing Virtuoso OAuth with 3rd Party OAuth Clients]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtuosoOdsUbiquityTutorialsOAuth][OAuth Ubiquity Tutorial]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtOAuthTestTool][Virtuoso OAuth Test Tool for ODS Controllers]]
   * [[VirtOAuthSPARQL][Virtuoso SPARQL OAuth Tutorial]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtuosoOdsUbiquityTutorials][ODS Ubiquity Tutorials]]
   * [[http://ods.openlinksw.com/dataspace/dav/wiki/ODS/VirtOAuthExamples][OAuth Applications Authentication examples]]
   * [[http://oauth.net/core/1.0/][OAuth API]]