What’s the point of a timestamp in OAuth if a Nonce can only be used one time?

The timestamp is used for allowing the server to optimize their storage of nonces. Basically, consider the read nonce to be the combination of the timestamp and random string. But by having a separate timestamp component, the server can implement a time-based restriction using a short window (say, 15 minutes) and limit the amount of …

Read more

“An access token is required to request this resource” while accessing an album / photo with Facebook php sdk

There are 3 things you need. You need to oAuth with the owner of those photos. (with the ‘user_photos’ extended permission) You need the access token (which you get returned in the URL box after the oAuth is done.) When those are complete you can then access the photos like so https://graph.facebook.com/me?access_token=ACCESS_TOKEN You can find …

Read more

Difference between OAuth 2.0 Two legged and Three legged implementation

First, the legs refer to the roles involved. A typical OAuth flow involves three parties: the end-user (or resource owner), the client (the third-party application), and the server (or authorization server). So a 3-legged flow involves all three. The term 2-legged is used to describe an OAuth-authenticated request without the end-user involved. Basically, it is …

Read more

Why is OAuth designed to have request token and access token?

For usability and security reasons. From the Beginner’s Guide to OAuth: https://hueniverse.com/beginners-guide-to-oauth-part-iii-security-architecture-e9394f5263b5 … While mostly an artifact of how the OAuth specification evolved, the two-Token design offers some usability and security features which made it worthwhile to stay in the specification. OAuth operates on two channels: a front-channel which is used to engage the User …

Read more

What is an opaque token?

A JWT has readable content, as you can see for example on https://jwt.io/. Everyone can decode the token and read the information in it. The format is documented in RFC 7519. An opaque token on the other hand has a format that is not intended to be read by you. Only the issuer knows the …

Read more