OAuth Authorization介绍

By Jiaming

简介

What is OAuth?

OAuth is an authentication protocol that allows users approve application to act on their behalf  without sharing their password. 
                                                       —— cited from https://dev.twitter.com/oauth/overview/faq

打个比方,
比较具体的例子是用Twitter/Google的账号去登陆别的平台,以及授权别的Appaccess用户twitter上的data


主要特点:
(1). 简单:不管是OAuth服务提供者还是应用开发者,都很易于理解与使用;
(2). 安全:没有涉及到用户密钥等信息,更安全更灵活;
(3). 开放:任何服务提供商都可以实现OAuth,任何软件开发商都可以使用OAuth


这是OAuth的一个应用(图一与图二为连续的过程)

当用户选择用Google账户登录时, 会被redirect到以下的框,选择具体的账户以及登陆


此过程中,QuoraConsumer, Google/Facebook/Twitter都为Provider, 用户为user. 用户希望用Google/Facebook/Twitter的账号去登陆Quora, 此时这些Users无需向Quora提供密码,而Provider会向Quora提供一些用户的基本信息,比如说名字,性别,账号名等基本信息。

OAuth 2.0当前较为广泛的Authorization的方式,很多的API都是用这种方式去授权第三方平台的,这当然也很多App和平台有了很多有意思的Features比如说可以给自己的平台Import用户在twitter或者Google plus的朋友名单,或者直接拿到用户发过的tweets, 和post

目前应用OAuth制作API一些大公司:

OAuth 1.0A 

     1. Twitter


OAuth 2.0

     1. Google
     2. YouTube
     3. LinkedIn
     4. Coursera
     5. Paypal

    OAuth是如何实现的

    OAuth 2.0, three main components:

    1.          Authorization code: 用于验证第三方web server的身份, 寿命十分短,10 min
    2.      Access token: 每次access用户数据时都要用到的credential, lifetime 1 hour
    3.      Refresh token: never expire但是用户有权去取消授权。如果access token expire,需要refresh token去重新向Google拿新的access token




    过程
    1) 和 2) request就是对应最开始的两张图。用户登陆Google plus,并且告诉API授权 第三方web serveraccess他在Google plus上的数据。
    3) 过程后取得的authentication code
    4) 由于Auth code只有几分钟寿命,而且是一次性的,web server需要马上用Auth code交换 access tokenrefresh token
    5) 得到access token以及refresh token
    6) 可以使用Access token来request用户在Google Plus上的数据了


    Google Plus API实例

    由于时间和篇幅有限,在这里就不详细介绍各种概念。下面会Google Plus API实例,介绍如果进行server-side authorization, 然后再将得到的credential(access token + refresh token)提取用户在Google plus上的post.

    我亲自用自己的账号测了一遍:
    先提前在Google plus上发两个post



    在Google developer上注册App的基本信息

    然后用PythonFlask framework提前写了个小的Server

    直接在浏览器访问此地址,扮演User的角色与Server进行沟通
    127.0.0.1:8000

    Python Server收到了我们的request, 然后马上将我们redirect到了Google Plus APIServer, 然后进行登录等步骤




    此时Google API问用户是否愿意让第三方的App对用户进行offline access. offline access即是就算用户下线logout了,我们的App照样能access用户的data.

    点击了”Allow”, python server已经取得了一次性Auth code, 并且交换了access tokenrefresh token.

    以下结果为我terminal里面 python server所提取到的结果:
    1. access tokenrefresh token
    2. 两个post, post的内容, postID
    这些都是python serveraccess token去取得的









    Comments

    1. Lucky Club casino site – Free bonus and bonus rounds
      Lucky Club Casino is a brand new casino in luckyclub.live 2020. It is owned by Direx N.V.. This company is powered by Direx N.V. The site is very famous among

      ReplyDelete
    2. IGT Gaming, Casinos, and Games for sale in Maricopa
      Find your complete worrione.com list of casinos, https://febcasino.com/review/merit-casino/ games and games at IGT Gaming in sol.edu.kg Maricopa, apr casino Arizona. 1. Casinos in Casino at Residence

      ReplyDelete
    3. The bar can't organize the sport or financially take part, and gamers can only wager food and drinks. The bar's only involvement is to primarily hold the cube or games on-site for the gamers, and no cash ought to ever be exchanged between the gamers or the establishment. A lottery is a plan dafabet which provides for the distribution of money, property or different reward or benefit to individuals selected by probability from among members some or all of whom have given a consideration for the prospect of being selected. The Gambling Control Board licenses lawful playing actions and ought to be consulted with any questions or concerns. Qualifying organizations should be licensed by the Gambling Control Board prior to the playing being performed. Contributed to the gathering of information on playing points in Malaysia, both authorized and illegal, and the way individuals's notion of playing has modified in Malaysia.

      ReplyDelete

    Post a Comment

    Popular posts from this blog

    JVM architecture介绍