If the Consumer is incapable of automatic HTTP redirection, the Consumer SHALL notify the User how to manually go to the constructed request URL.
Once the request URL has been constructed the Consumer redirects the User to the URL via the User's web browser.
More generally, OAuth creates a freely-implementable and generic methodology for API authentication. To make sure that the User granting access is the same User returning back to the Consumer to complete the process, the Service Provider MUST generate a verification code: an unguessable value passed to the Consumer via the User and REQUIRED to complete the process.
Denial of Service / Resource Exhaustion Attacks 11.12. Hexadecimal characters in encodings MUST be upper case.
The Consumer Developer MAY also be required to provide additional information to the Service Provider upon registration. Characters in the unreserved character set MUST NOT be encoded.
An open standard, supported by large and small providers alike, promotes a consistent and trusted experience for both application developers and the users of those applications. The Request Token and Token Secret MUST be exchanged for an Access Token and Token Secret.
OAuth does not specify how the Service Provider authenticates the User.