OAuth/Owner-only consumers

Owner-only consumers are a method to use OAuth for authentication and permission control while avoiding most of the complexity of the OAuth protocol (which is in the grant authorization process). It's meant for bots and similar tools which always authenticate with the same user account. To use it, the target wiki must have a recent version (1.27+) of the OAuth extension installed.

To work as an owner-only consumer, the application must take four strings as configuration settings: the consumer key, the consumer secret, the access token and the access secret. (The user can obtain those via . In case of a wikifarm, this needs to be done on the central wiki of the farm. In case of Wikimedia, it's at meta:Special:OAuthConsumerRegistration/propose. The option "owner-only" has to be checked.) The application can then authenticate API requests by adding an   header which is computed from those parameters as defined in the OAuth 1.0a standard; libraries exist in many languages to help ith this.

(Some libraries call this the two-legged OAuth 1.0 protocol. The OAuth Bible more correctly calls it one-legged.)

PHP
Using oauthclient-php:

Using the PECL package:

Python
Using requests_oauthlib:

Perl
Using Net::OAuth:

To generate the nonce, you could just do something like, but using a random number generator such as Bytes::Random::Secure would be more secure:

Algorithm
Authorization: OAuth oauth_consumer_key=" ", oauth_token=" ", oauth_signature_method="HMAC-SHA1", oauth_signature="", oauth_timestamp="", oauth_nonce=" ", oauth_version="1.0" where  is the urlencoded,  -concatenated list of the request method, the request endpoint (ie. the full URL to  ), and all the parameters of the request (GET, POST, and Authorization header, except   itself) in lexicographic order.

For example, computing the header in PHP would look like this (cutting some corners such as nested parameter handling):