Hello,

I am trying to familiarize myself with OAuth API authentication process

I was successful in getting API access token but I am struggling to understand how to make signed requests

PRIMER:

To implement the OAuth from my server I used the library http://code.google.com/p/oauth-php/

I got the consumer API key and the consumer API secret from the service provider

After much trial and error, I was able to

1) request get Request Token

2) then the user (myself in this case) was redirected to service provider

3) after the user granted access to consumer, service provider redirected user to consumer's "callback" url

4) then I exchanged the request token for an access token, the results I get include an access token and a token secret

AND THEN I UNDERSTAND I should be able to make "signed requests"

from the library I used, I do this by calling two methods,

a) create a new OAuth object (from documentation "obtain a request object for the request we want to make")
and
b) OAuthobject->doRequest ("sign the request, perform curl request and return results...")

Making signed requests is where I am confused.

Do I need to get an access token every time I try to access a protected resource?

I imagine not, but the API I accessed required "signed OAuth headers" for CERTAIN resrouces. In ohter words, I would go through the whole process once, and I would be able to access some images WITHOUT going through the getting request token and getting access token part. But to access these other resources, the ones that indicated consumer needed "signed OAuth headers" to make requests, I would have to go through the whole process, get request token, exschange request-access token, and then I could retrieve these.

I imagine that perhaps I am doing extra work, and I do not need to get the request token nor exchange the request-access token, since it is store in my database, and I suspect there must be a live term data associated with it. But since I don;t know I am having to go through the whole cycle.

How would I make correct "signed request" w/o having the user authorize access and then getting a new access token?

I hope that I wrote above gives you an idea of how I view the OAth model. I would like a reader to help me get a clear idea of how the cycle goes? How can I retireve the resources w/o having to get user authorization every time.

Thank you

For those landing in this post looking to understand OAuth process, you can look at this image "OAuth Authentication Flow": http://oauth.net/core/diagram.png