OAuth 1.0 is a protocol that allows secure authorization in a decentralized manner using cryptographic signatures. Unlike OAuth 2.0, OAuth 1.0 does not use bearer tokens but rather digitally signed requests.
1. Understanding OAuth 1.0
OAuth 1.0 provides:
- Secure API access using signatures (HMAC-SHA1, RSA-SHA1, or PLAINTEXT)
- Request Token & Access Token exchange
- User authorization via a redirect-based flow
- Stateless communication between clients and servers
2. OAuth 1.0 Flow
The OAuth 1.0 flow follows these steps:
- Client requests a Request Token from the OAuth Provider.
- User authorizes the Request Token.
- Client exchanges the Request Token for an Access Token.
- Client uses the Access Token to access protected resources.
3. OAuth 1.0 vs OAuth 2.0
| Feature | OAuth 1.0 | OAuth 2.0 |
|---|---|---|
| Token Type | Request & Access Tokens | Bearer Tokens |
| Security | Signed requests | Token-based authentication |
| Complexity | More complex (signatures) | Simpler (without signatures) |
| Adoption | Older, less used | Widely used |
4. Implementing OAuth 1.0 in Spring Boot
Spring Security does not natively support OAuth 1.0 anymore, but we can use third-party libraries like scribejava or Apache Oltu.
4.1 Add Dependencies
com.github.scribejava
scribejava-core
8.3.34.2 Create OAuth 1.0 Configuration
import com.github.scribejava.core.builder.ServiceBuilder;
import com.github.scribejava.core.oauth.OAuth10aService;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
@Configuration
public class OAuth1Config {
@Bean
public OAuth10aService oAuth10aService() {
return new ServiceBuilder("consumer-key")
.apiSecret("consumer-secret")
.callback("http://localhost:8080/oauth/callback")
.build(new CustomOAuth1Api());
}
}4.3 Define Custom OAuth 1.0 API
import com.github.scribejava.core.builder.api.DefaultApi10a;
import com.github.scribejava.core.model.OAuth1RequestToken;
public class CustomOAuth1Api extends DefaultApi10a {
@Override
public String getRequestTokenEndpoint() {
return "https://provider.com/oauth/request_token";
}
@Override
public String getAccessTokenEndpoint() {
return "https://provider.com/oauth/access_token";
}
@Override
protected String getAuthorizationBaseUrl() {
return "https://provider.com/oauth/authorize";
}
}4.4 OAuth 1.0 Authentication Controller
import com.github.scribejava.core.model.OAuth1RequestToken;
import com.github.scribejava.core.oauth.OAuth10aService;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
@RestController
public class OAuth1Controller {
private final OAuth10aService oAuth10aService;
private OAuth1RequestToken requestToken;
public OAuth1Controller(OAuth10aService oAuth10aService) {
this.oAuth10aService = oAuth10aService;
}
@GetMapping("/oauth/request")
public String getRequestToken() throws IOException, ExecutionException, InterruptedException {
requestToken = oAuth10aService.getRequestToken();
return "Redirect user to: " + oAuth10aService.getAuthorizationUrl(requestToken);
}
@GetMapping("/oauth/callback")
public String getAccessToken(@RequestParam("oauth_verifier") String oauthVerifier) throws IOException, ExecutionException, InterruptedException {
var accessToken = oAuth10aService.getAccessToken(requestToken, oauthVerifier);
return "Access Token: " + accessToken.getToken();
}
}5. Testing OAuth 1.0 in Postman
-
Get Request Token
GET http://localhost:8080/oauth/request- Copy the authorization URL and open it in the browser.
-
Authorize the App
- The provider redirects back with
oauth_verifier.
- The provider redirects back with
-
Exchange Request Token for Access Token
GET http://localhost:8080/oauth/callback?oauth_verifier=...- You receive an Access Token.
6. Debugging & Common Issues
- Invalid signature error: Ensure keys & secrets are correct.
- OAuth verifier missing: Check callback URL and OAuth provider response.
- 401 Unauthorized: Verify consumer key and secret.
7. Conclusion
OAuth 1.0 provides secure authentication via signed requests. Although OAuth 2.0 is more widely used today, OAuth 1.0 remains relevant for legacy systems. This guide demonstrated how to implement OAuth 1.0 in Spring Boot using ScribeJava.
Let me know if you have any questions! 🚀