OAuth/Owner-only consumers

Owner-only consumers are a method to use OAuth for authentication and permission control while avoiding most of the complexity of the OAuth protocol (which is in the grant authorization process). It's meant for bots and similar tools which always authenticate with the same user account. To use it, the target wiki must have version 1.27 or higher of the OAuth extension installed.

To work as an owner-only consumer, the application must take four strings as configuration settings: the consumer key, the consumer secret, the access token and the access secret. (The user can obtain those via . In case of a wikifarm, this needs to be done on the central wiki of the farm. In case of Wikimedia, it's at meta:Special:OAuthConsumerRegistration/propose. The option "owner-only" has to be checked.) The application can then authenticate API requests by adding an   header which is computed from those parameters as defined in the OAuth 1.0a standard; libraries exist in many languages to help with this.

(Some libraries call this the two-legged OAuth 1.0 protocol. The OAuth Bible more correctly calls it one-legged.)

The code snippets below assume the application uses a shared secret (HMAC-SHA1) for signing (i.e., the RSA field was left where  is the urlencoded,  -concatenated list of the request method, the request endpoint (ie. the full URL to ), and all the parameters of the request (GET, POST, and Authorization header, except   itself) in lexicographic order.

For example, computing the header in PHP would look like this (cutting some corners such as nested parameter handling):