OAuth Authorization介绍
By Jiaming
简介
What is OAuth?
OAuth is an authentication protocol that allows users approve application to act on their behalf without sharing their password.
—— cited from https://dev.twitter.com/oauth/overview/faq
OAuth is an authentication protocol that allows users approve application to act on their behalf without sharing their password.
—— cited from https://dev.twitter.com/oauth/overview/faq
打个比方,
比较具体的例子是用Twitter/Google的账号去登陆别的平台,以及授权别的App去access用户twitter上的data。
OAuth 1.0A
1. Twitter
过程
更详细的补充材料
比较具体的例子是用Twitter/Google的账号去登陆别的平台,以及授权别的App去access用户twitter上的data。
主要特点:
(1). 简单:不管是OAuth服务提供者还是应用开发者,都很易于理解与使用;
(2). 安全:没有涉及到用户密钥等信息,更安全更灵活;
(3). 开放:任何服务提供商都可以实现OAuth,任何软件开发商都可以使用OAuth;
这是OAuth的一个应用(图一与图二为连续的过程)
当用户选择用Google账户登录时, 会被redirect到以下的框,选择具体的账户以及登陆
此过程中,Quora为Consumer, Google/Facebook/Twitter都为Provider, 用户为user. 用户希望用Google/Facebook/Twitter的账号去登陆Quora, 此时这些Users无需向Quora提供密码,而Provider会向Quora提供一些用户的基本信息,比如说名字,性别,账号名等基本信息。
OAuth 2.0是当前较为广泛的Authorization的方式,很多的API都是用这种方式去授权第三方平台的,这当然也让很多App和平台有了很多有意思的Features. 比如说可以给自己的平台Import用户在twitter或者Google plus的朋友名单,或者直接拿到用户发过的tweets, 和post
目前应用OAuth制作API的一些大公司:
OAuth 1.0A
1. Twitter
OAuth 2.0
1. Google
2. YouTube
3. LinkedIn
4. Coursera
5. Paypal
1. Google
2. YouTube
3. LinkedIn
4. Coursera
5. Paypal
OAuth是如何实现的
OAuth 2.0, three main components:
- Authorization code: 用于验证第三方web server的身份, 寿命十分短,为10 min
- Access token: 每次access用户数据时都要用到的credential, lifetime 1 hour
- Refresh token: never expire但是用户有权去取消授权。如果access token expire了,需要refresh token去重新向Google拿新的access token
过程
1) 和 2) 的request就是对应最开始的两张图。用户登陆Google plus,并且告诉API授权 第三方web server去access他在Google plus上的数据。
3) 过程后取得的为authentication code
4) 由于Auth code只有几分钟寿命,而且是一次性的,web server需要马上用Auth code交换 access token和refresh token
5) 得到access token以及refresh token
6) 可以使用Access token来request用户在Google Plus上的数据了
Google Plus API实例
由于时间和篇幅有限,在这里就不详细介绍各种概念。下面会以Google Plus API为实例,介绍如果进行server-side authorization, 然后再将得到的credential(access token + refresh token)提取用户在Google plus上的post.
我亲自用自己的账号测了一遍:
先提前在Google plus上发两个post
在Google developer上注册App的基本信息
然后用Python和Flask framework提前写了个小的Server
直接在浏览器访问此地址,扮演User的角色与Server进行沟通
127.0.0.1:8000
Python Server收到了我们的request, 然后马上将我们redirect到了Google Plus API的Server, 然后进行登录等步骤
此时Google API问用户是否愿意让第三方的App对用户进行offline access. offline access即是就算用户下线logout了,我们的App照样能access用户的data.
点击了”Allow”后, python server已经取得了一次性Auth code, 并且交换了access token和refresh token.
以下结果为我terminal里面 python server所提取到的结果:
1. access token和refresh token
2. 两个post, post的内容, post的ID
这些都是python server用access token去取得的
更详细的补充材料
OAuth 1.0 vs OAuth 2.0:
Token lifetime:
Google Plus API:
Lucky Club casino site – Free bonus and bonus rounds
ReplyDeleteLucky Club Casino is a brand new casino in luckyclub.live 2020. It is owned by Direx N.V.. This company is powered by Direx N.V. The site is very famous among
IGT Gaming, Casinos, and Games for sale in Maricopa
ReplyDeleteFind your complete worrione.com list of casinos, https://febcasino.com/review/merit-casino/ games and games at IGT Gaming in sol.edu.kg Maricopa, apr casino Arizona. 1. Casinos in Casino at Residence
The bar can't organize the sport or financially take part, and gamers can only wager food and drinks. The bar's only involvement is to primarily hold the cube or games on-site for the gamers, and no cash ought to ever be exchanged between the gamers or the establishment. A lottery is a plan dafabet which provides for the distribution of money, property or different reward or benefit to individuals selected by probability from among members some or all of whom have given a consideration for the prospect of being selected. The Gambling Control Board licenses lawful playing actions and ought to be consulted with any questions or concerns. Qualifying organizations should be licensed by the Gambling Control Board prior to the playing being performed. Contributed to the gathering of information on playing points in Malaysia, both authorized and illegal, and the way individuals's notion of playing has modified in Malaysia.
ReplyDelete