Plain text workflow
When the user clicks the Allow button, they will be redirected off to the callback address you provided in the first step, with the oauth_token and oauth_verifier as query string parameters. The user is asked to sign in (if they haven’t already) and then asked whether to allow or deny your application access.
![plain text workflow plain text workflow](https://blogs.sap.com/wp-content/uploads/2019/12/image-20-1024x504-1.png)
Point the user to using the token you just got back. Remember the oauth_token and oauth_token_secret in your application. By making a POST request to with the Authorization header, we will get back an oauth_token and oauth_token_secret. To make the Authorization header, you simply append all the values starting with "OAuth". Additionally the two hexadecimal characters used to represent encoded characters must be uppercase. All other characters must be encoded (including space, which must be encoded as %20). These characters must not be encoded: alphanumeric characters, "-", ".", "_", "~". URL encoding is defined specifically in the OAuth 1.0 spec.
![plain text workflow plain text workflow](https://doycetesterman.com/wp/wp-content/uploads/2014/12/2014-12-04-18.27.26.png)
Oauth_signature=160FCF77971DC92A38596288DB071A8CA5%26 You will need to properly encode the & by using UTF-8 encoding: %26. The oauth_signature is your consumer secret followed by & at the end. For information on how this changes the process, see Differences with the out-of-band flow.
PLAIN TEXT WORKFLOW REGISTRATION
If you didnt register a callback upon registration and opted to use the out-of-band stream (which provides the user with a PIN number at the end), then specify this as "oob". If you omit it, then the default callback will be used.
![plain text workflow plain text workflow](https://hangconsult.files.wordpress.com/2016/10/workflow010.png)
Your oauth_callback was set when registering your application, you must use this callback or omit it completely. (Note: the oauth_callback value is case sensitive, it must match one of your callback domains or the default callback registered with your application) Using our example consumer credentials it will look like this: