Revision as of 02:49, 24 April 2012 by hamishwillee (Talk | contribs)

OAuth 1.0 Authorization in Nokia Asha Web Apps

From Nokia Developer Wiki
Jump to: navigation, search

This article explains how OAuth 1.0 Authorization can be implemented in a Series 40 Web App.

Article Metadata
Code ExampleTested with
Devices(s): Nokia X3-02
Platform(s): Sereis 40 Web Apps Version 1.5
Device(s): Series 40 Devices Supporting Web Apps
Created: isalento (08 Mar 2012)
Last edited: hamishwillee (24 Apr 2012)



OAuth is a commonly used Authorization mechanism, which allows users to grant access to consumer applications, to use their private resources in a web service (Service Provider). OAuth’s key idea is to do this without users exposing their credentials to consumer application. [1]

Example Flow


Due to architecture of the S40 Web Apps platform and technical requirements needed to complete steps in OAuth Authorization Flow, implementation is divided to two parts. A PHP server is used, as proxy, to mediate authorization flow between Web App and Service Provided (e.g Twitter). The PHP server handles the flow to the point, where it gets Access Token and Token Secret granted by Service Provider.

From this point onwards, proxy is not needed anymore. S40 Web App uses Access Token and Token Secret, to make authorized requests to Service Provider.

Web App Side

Please see attached web app for full source code. In this section only key parts are explained.

* OAuth authentication helper server URL

var PHPProxyConfig = {
login: "<www.your-server-url.ext/phphelper.php>"
* OAuth Configuration

var config = {
consumerKey: "<your application’s consumer key>",
consumerSecret: "<your application’s consumer secret>",
requestTokenUrl: "https://api.twitter.com/oauth/request_token",
authorizationUrl: "https://api.twitter.com/oauth/authorize",
accessTokenUrl: "https://api.twitter.com/oauth/access_token",
callbackUrl: PHPProxyConfig.login

Very first thing that must be done, is to login to dev.twitter.com and create a new application. When registering, use URL of the server, where you will be placing oauthhelper.php , as Callback URL.

Modify PHPProxyConfig and config objects to match your Twitter applications OAuth Settings. Please note that this solution does not secure Consumer Key or Consumer Secret.

* Clicking Log in link is the first step in log-in process
* @param id

function insertLoginLink(id) {
var authURL = PHPProxyConfig.login+"?ID="+widget.preferences["id"]+""+configToURLComponent();
document.getElementById("login").innerHTML = "<div onclick=\"mwl.hide('#login');mwl.show('#logintwo');mwl.loadURL('"+authURL+"');\">Log in</div>";

Second step is to connect to PHP server to get unique ID for Web App. ID is obtained by making standard XMLHttpRequest to URL defined in PHPProxyConfig.login. Later this id is used to distinguish requests in the server side. After getting the ID, log-in link is generated. Clicking this link, opens a new web page, on top of the Web App, and initiates login flow. Once login flow is completed, user closes web page and, Web App will fetch Access token and token secret from the server.

* Gets User Timeline from twitter

function refreshTimeline(){
var oauth = new OAuth(config);
function (data) {
var timeline = JSON.parse(data.text);

It is time to make first authorized request to Service Provider. Request must be correctly composed and signed using HMAC-SHA1 digest computed from the request payload. It is advised to use ready-made library for this purpose. In this example jsOAuth by Rob Griffiths is used to do heavy lifting.

PHP Proxy

Below is complete source code for the server side logic. Please note that this requires PHP OAuth Extension.

* phpproxy.php
* Requires OAuth PHP extension

// disable session cookies (using url parameters instead)
ini_set('session.use_cookies', false);
// if no session id, start new session
if (!$_REQUEST['ID']) {
exit (session_id());
// resume session
// state 0: save oauth parameters
if (!$_SESSION['state']) {
$_SESSION['requestTokenUrl'] = $_REQUEST['requestTokenUrl'];
$_SESSION['authorizationUrl'] = $_REQUEST['authorizationUrl'];
$_SESSION['accessTokenUrl'] = $_REQUEST['accessTokenUrl'];
$_SESSION['consumerKey'] = $_REQUEST['consumerKey'];
$_SESSION['consumerSecret'] = $_REQUEST['consumerSecret'];
$_SESSION['callbackUrl'] = $_REQUEST['callbackUrl'];
$oauth = new OAuth($_SESSION['consumerKey'], $_SESSION['consumerSecret'], OAUTH_SIG_METHOD_HMACSHA1, OAUTH_AUTH_TYPE_URI);
// state 0: get request token
if (!$_SESSION['state']) {
$request_token_info = $oauth->getRequestToken($_SESSION['requestTokenUrl'], "{$_SESSION['callbackUrl']}?ID=" . session_id());
$_SESSION['secret'] = $request_token_info['oauth_token_secret'];
$_SESSION['state'] = 1;
header("Location: {$_SESSION['authorizationUrl']}?oauth_token={$request_token_info['oauth_token']}");
// state 1: get access token
if ($_SESSION['state'] == 1) {
if (!$_GET['oauth_token']) {
header('HTTP/1.0 400 Bad Request');
exit ('Parameter missing: oauth_token.');
$oauth->setToken($_GET['oauth_token'], $_SESSION['secret']);
$access_token_info = $oauth->getAccessToken($_SESSION['accessTokenUrl']);
$_SESSION['state'] = 2;
$_SESSION['oauth_token'] = $access_token_info['oauth_token'];
$_SESSION['oauth_token_secret'] = $access_token_info['oauth_token_secret'];
exit ('Authenticated successfully! You can close this window.');
// state 2: return access token
if ($_SESSION['state'] == 2) {
header('Content-type: ' . 'application/json');
if (!$_SESSION['oauth_token'] || !$_SESSION['oauth_token_secret']) {
header('HTTP/1.0 400 Bad Request');
exit ('Tokens not available.');
print json_encode(array(
'oauth_token' => $_SESSION['oauth_token'],
'oauth_token_secret' => $_SESSION['oauth_token_secret']


Please see OauthProxySolution.zip

137 page views in the last 30 days.