Link Search Menu Expand Document


About OAuth

Platform API

Last updated on October 11, 2019

The following section briefly describes the concepts and workflow of the OAuth authentication process.

For more details about OAuth, refer to RFC 5849.

OAuth Roles

The OAuth process involves the following three entities:

The diagram above shows the following:

  • The arrow between the User and Consumer shows that a request and response is made between the two.
  • The arrow between the Consumer and the Service Provider shows that a request and response takes place between the two.
  • The arrow at the bottom shows that, after the OAuth process, the User is able to access resources from the Service Provider.
OAuth RoleDescriptionOpenX Implementation
Service ProviderA web application that allows access via OAuth.OpenX
ConsumerA website or application that uses OAuth to access the Service Provider on behalf of the User.Your client application
UserAn individual who has an account with the Service Provider.Users of your client application


OAuth defines three request URLs:

URL TypeDescriptionOpenX Implementation
Request Token URLUsed to obtain an unauthorized Request Token
User Authorization URLUsed to obtain User authorization for Consumer accessBrowser-based:

Access Token URLUsed to exchange the User-authorized Request Token for an Access Token


For a complete list of parameters, see the OAuth specification. There are a few parameters worth mentioning:

Oauth_nonceThis parameter contains a nonce or “only once string”; it is a unique string that changes on each OAuth request. There is no specification on how the nonce should be constructed, but it is important to make sure it changes on each call; it is how the server knows there are no duplicate requests.

Note: This parameter cannot contain a / even if it is encoded because the OpenX SSO cannot handle a /. If so, an Invalid Request: Missing nonce error occurs for the step.
oauth_tokenThis value changes based on the stage of the OAuth handshake. Before authorization and when getting a request token, this parameter is excluded entirely. When retrieving an access token, this parameter is set to the request token. Once an access token has been obtained, this parameter, for all future requests, is set to the access token.
UNIX timestampThe oauth_timestamp field requires a UNIX timestamp. Some programming libraries may provide a function for this.

Process Overview

The following graphic illustrates the flow of information in the OAuth process. It basically takes place in three steps:

  • The Consumer obtains an unauthorized Request Token (Steps 1.1 and 1.2)
  • The User authorized the Request Token (Steps 2.1, 2.2, and 2.3)
  • The Consumer exchanges the Request Token for an Access Token (Steps 3.1 and 3.2)

The numbered steps in the graphic correspond to the numbered steps in this section.

Solid arrow: Person using web browser/Manual entry
Dotted arrow: Consumer/Service Provider