OAuth/Owner-only consumers

) Owner-only consumers are a method to use OAuth for authentication and permission control while avoiding most of the complexity of the OAuth protocol (which is in the grant authorization process). It's meant for bots and similar tools which always authenticate with the same user account. To use it, the target wiki must have version 1.27 or higher of the OAuth extension installed.

OAuth 2
Using an owner-only app in OAuth 2 is very simple. Just register the app via  (make sure to set the protocol version to 2.0) with the option "owner-only" checked. (In case of a wikifarm, the special page is only available on the central wiki of the farm. In case of Wikimedia, it's at meta:Special:OAuthConsumerRegistration/propose.) Then, record the access token that's shown when submitting the form, and sign your API requests by adding the HTTP header.

OAuth 1
To work as an owner-only consumer, the application must take four strings as configuration settings: the consumer key, the consumer secret, the access token and the access secret. The user can obtain those via. The option "owner-only" has to be checked. (In case of a wikifarm, the special page is only available on the central wiki of the farm. In case of Wikimedia, it's at meta:Special:OAuthConsumerRegistration/propose.)

The application can then authenticate API requests by adding an  header which is computed from those parameters as defined in the [http://oauth.net/core/1.0a/#auth_header OAuth 1.0a standard]; libraries exist [http://oauth.net/code/ in many languages] to help with this.

Some libraries call this the two-legged OAuth 1.0 protocol. [https://github.com/Kong/mashape-oauth/blob/master/FLOWS.md The OAuth Bible] more correctly calls it one-legged.

Some sources call the consumer key a "client ID", the consumer secret a "client secret", the access token just a "token", and the access secret a "token secret".

The code snippets below assume the application uses a shared secret (HMAC-SHA1) for signing (i.e., the RSA field was left empty at registration).

PHP
Using oauthclient-php:

Using the PECL package:

Python
Using [https://requests-oauthlib.readthedocs.org/en/latest/ requests_oauthlib]:

Perl
Using Net::OAuth:

To generate the nonce, you could just do something like, but using a random number generator such as Bytes::Random::Secure would be more secure:

Awk / shell
Using GNU Awk and openssl. Function library in [https://github.com/greencardamom/Wikiget Wikiget].

Java
Using [https://github.com/scribejava/scribejava/blob/master/scribejava-apis/src/test/java/com/github/scribejava/apis/examples/MediaWikiExample.java ScribeJava]:

Algorithm
Authorization: OAuth oauth_consumer_key=" ", oauth_token=" ", oauth_signature_method="HMAC-SHA1", oauth_signature="", oauth_timestamp="", oauth_nonce=" ", oauth_version="1.0" where  is the urlencoded,  -concatenated list of the request method, the request endpoint (ie. the full URL to  ), and all the parameters of the request (GET, POST, and Authorization header, except   itself) in lexicographic order.

For example, computing the header in PHP would look like this (cutting some corners such as nested parameter handling):