Why does OAuth provide both an access token and an access token secret? Why not just a single value?

20
votes

Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.

So why does the specification require two values in the first place?

2
oauth
I may have answered my own question, but I suspect the reason is indexing for the OAuth provider. A provider can efficiently lookup a record by access token and then verify the access token secret, rather than having to lookup a long and not-very-indexable combination.John Bledsoe

2 Answers

23
votes

Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure

0
votes

There are 2 secrets, one is token secret and other is consumer secret. Secrets are used to sign the requests (to generate the oauth signature) but not transmitted in the request header where token is sent in the header to identify the client and verify if it has access.