Abstract: The OAUTH protocol provides a secure, open and simple standard for the authorization of user resources. The difference from the previous authorization method is that the authorization of OAUTH will not allow the third party to access the user's account information (such as user name and password), that is, the third party can apply for access to the user's resources without using the user's user name and password. authorization, so OAUTH is safe. At the same time, any third party can use the OAUTH authentication service, and any service provider can implement its own OAUTH authentication service, so OAUTH is open. The industry provides a variety of OAUTH implementations such as PHP, JavaScript , Java , Ruby and other language development kits, which greatly saves the programmer's time, so OAUTH is simple. At present, many Internet services such as Open API, and many major companies such as Google, Yahoo, Microsoft, etc., provide OAUTH authentication services, which is enough to show that the OAUTH standard has gradually become the standard for open resource authorization.
1. Background of O AUTH
Typical case: If a user has two services: one service is online image storage service A, and the other is online image printing service B. As shown below. Since service A and service B are provided by two different service providers, the user has registered two users on the websites of the two service providers. It is assumed that the two user names and passwords are different. Are not the same. When a user wants to use service B to print a picture stored on service A, what should the user do? Method 1: The user may first download the image to be printed from service A and upload it to service B for printing. This method is safe but cumbersome and inefficient. Method 2: The user will register the user name on service A. Provide service B with the password, and service B uses the user's account to download the picture to be printed from service A. This method improves the efficiency, but greatly reduces the security. Service B can use the user's user name and password to View or even tamper with the user's resources on service A.
Many companies and individuals are trying to solve such problems, including Google, Yahoo, Microsoft, which also prompted the OAUTH project group. OAuth was initiated by Blaine Cook, Chris Messina, Larry Halff and David Recordon to provide an open standard for API access authorization. Version 1.0 of the OAuth specification was released on December 4, 2007. Through the official website: http://oauth.net can read more related information.
2. Introduction to OAUTH
On the homepage of the official website, you can see the following introduction:
An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.
It probably means that OAUTH is an open protocol that provides a simple, standard way for desktop programs or BS-based web applications to access API services that require user authorization. OAUTH is similar to Flickr Auth, Google's AuthSub, Yahoo's BBAuth, Facebook Auth, etc. OAUTH authentication authorization has the following characteristics:
1. Simple: both OAUTH service providers and application developers are easy to understand and use;
2. Security: no information such as user keys is involved, which is more secure and flexible;
3. Open: any service provider can implement OAUTH, and any software developer can use OAUTH;
3. Terms related to OAUTH
Before figuring out the OAUTH process, let's first understand the definitions of some OAUTH terms:
- Three URLs related to OAUTH :
- Request Token URL: Get the unauthorized Request Token service address;
- User Authorization URL: Get the Request Token service address authorized by the user;
- Access Token URL: Exchange the authorized Request Token for the service address of the Access Token;
- OAUTH related parameter definitions:
- oauth_consumer_key: The user's ID, the direct user of the OAUTH service is the application developed by the developer. Therefore, the acquisition of the parameter value is generally to register an application with the OAUTH service provider, and then obtain the oauth_consumer_key of the application. For example, the registered address of this value in Yahoo is: https://developer.yahoo.com/dashboard/
- oauth_consumer_secret: The secret corresponding to oauth_consumer_key.
- oauth_signature_method: The signature method of the request string. The application must sign the request every time it sends a request to the three service addresses of OAUTH. There are three signature methods: HMAC-SHA1, RSA-SHA1 and PLAINTEXT.
- oauth_signature: Sign the request with the above signature method.
- oauth_timestamp: The timestamp when the request was initiated, the value is the number of seconds since 1970 00:00:00 GMT, and must be an integer greater than 0. The timestamp of this request must be greater than or equal to the last timestamp.
- oauth_nonce: A randomly generated string used to prevent the replay of requests and prevent illegal attacks from the outside world.
- oauth_version: The version number of OAUTH, optional, its value must be 1.0.
OAUTH HTTP response code:
- HTTP 400 Bad Request request error
- Unsupported parameter parameter error
- Unsupported signature method signature method error
- Missing required parameter parameter is missing
- Duplicated OAuth Protocol Parameter 参数重复
- HTTP 401 Unauthorized 未授权
- Invalid Consumer Key 非法key
- Invalid / expired Token 失效或者非法的token
- Invalid signature 签名非法
- Invalid / used nonce 非法的nonce
四、OAUTH认证授权流程
在弄清楚了OAUTH的术语后,我们可以对OAUTH认证授权的流程进行初步认识。其实,简单的来说,OAUTH认证授权就三个步骤,三句话可以概括:
1. 获取未授权的Request Token
2. 获取用户授权的Request Token
3. 用授权的Request Token换取Access Token
当应用拿到Access Token后,就可以有权访问用户授权的资源了。大家肯能看出来了,这三个步骤不就是对应OAUTH的三个URL服务地址嘛。一点没错,上面的三个步骤 中,每个步骤分别请求一个URL,并且收到相关信息,并且拿到上步的相关信息去请求接下来的URL直到拿到Access Token。具体的步骤如下图所示:
具体每步执行信息如下:
A. 使用者(第三方软件)向OAUTH服务提供商请求未授权的Request Token。向Request Token URL发起请求,请求需要带上的参数见上图。
B. OAUTH服务提供商同意使用者的请求,并向其颁发未经用户授权的oauth_token与对应的oauth_token_secret,并返回给使用者。
C. 使用者向OAUTH服务提供商请求用户授权的Request Token。向User Authorization URL发起请求,请求带上上步拿到的未授权的token与其密钥。
D. OAUTH服务提供商将引导用户授权。该过程可能会提示用户,你想将哪些受保护的资源授权给该应用。此步可能会返回授权的Request Token也可能不返回。如Yahoo OAUTH就不会返回任何信息给使用者。
E. Request Token 授权后,使用者将向Access Token URL发起请求,将上步授权的Request Token换取成Access Token。请求的参数见上图,这个比第一步A多了一个参数就是Request Token。
F. OAUTH服务提供商同意使用者的请求,并向其颁发Access Token与对应的密钥,并返回给使用者。
G. 使用者以后就可以使用上步返回的Access Token访问用户授权的资源。
从上面的步骤可以看出,用户始终没有将其用户名与密码等信息提供给使用者(第三方软件),从而更安全。用OAUTH实现背景一节中的典型案例:当服务 B(打印服务)要访问用户的服务A(图片服务)时,通过OAUTH机制,服务B向服务A请求未经用户授权的Request Token后,服务A将引导用户在服务A的网站上登录,并询问用户是否将图片服务授权给服务B。用户同意后,服务B就可以访问用户在服务A上的图片服务。 整个过程服务B没有触及到用户在服务A的帐号信息。如下图所示,图中的字母对应OAUTH流程中的字母:
五、OAUTH服务提供商
OAUTH标准提出到现在不到两年,但取得了很大成功。不仅提供了各种语言的版本库,甚至Google,Yahoo,Microsoft等等互联网大头都 实现了OAUTH协议。由于OAUTH的client包有很多,所以我们就没有必要在去自己写,避免重复造轮子,直接拿过来用就行了。我使用了这些库去访 问Yahoo OAUTH服务,很不错哦!下面就贴出一些图片跟大家一起分享下!
下图是OAUTH服务提供商引导用户登录(若用户开始没有登录)
下图是提示用户将要授权给第三方应用,是否同意授权的页面
The following figure prompts the user to successfully authorize the information
Some service providers not only implement the functions on the OAUTH protocol, but also provide some more friendly services, such as the authorization service for managing third-party software. The figure below is the page of the Yahoo management software authorization, the user can cancel the authorization of some applications.
http://blog.csdn.net/hereweare2009/article/details/3968582/
http://blog.jobbole.com/49211/