OAuth学习笔记

作者: 雁门员外 | 来源:发表于2016-08-02 00:33 被阅读651次

OAuth学习笔记
Oauth 2.0 学习笔记
学习笔记 - OAuth 2.0
OAuth2基本介绍
OAuth2.0学习笔记
OAuth 2.0 协议学习笔记
Oauth2.0 学习笔记
Spring cloud OAuth2 and JWT
OAuth 笔记
Oauth学习

翻译自下面这篇文章
https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html

概述

OAuth是一套在开发者和服务提供者之间建立沟通机制的协议；（ OAuth是让第三方应用不需要用户名密码读取用户数据的一个认证过程。）在本文档里，服务提供者是yahoo，访问用户数据的应用或者站点被称作consumer

整体流程图示

主体内容如下：

步骤1. 注册yahoo并获取consumer Key

在通过api访问yahoo之前，需要先注册并提交若干信息（包括访问数据的范围)以获取使用yahoo服务的资格。在以后通过consumer访问数据的时候，yahoo会询问最终用户授权给consumer访问数据的范围，关于数据范围的说明如下：

Read/Write Yahoo Updates
Read (Shared) Yahoo Profiles
Read Yahoo
注册完成，会拿到consumer key和consumer secret，在获取request token的时候，必须作为参数传入。

步骤2. 获取request token

request token是用来完成用户认证时需要传入的临时token，通过consumer key来获得。
请求URL：
https://api.login.yahoo.com/oauth/v2/get_request_token?oauth_nonce=ce2130523f788f313f76314ed3965ea6&oauth_timestamp=1202956957&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=abcdef&oauth_version=1.0&xoauth_lang_pref="en-us"&oauth_callback="http://yoursite.com/callback"

参数说明：

Request Parameter	Description
oauth_consumer_key	Consumer Key provided to you when you signed up.
oauth_nonce	A random string (OAuth Core 1.0 Spec, Section 8)
oauth_signature_method	The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
oauth_signature	The Consumer Secret that was issued to the application. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. For more information about signing requests, refer to Signing Requests to Yahoo.
oauth_timestamp	Current timestamp of the request. This value must be +-600 seconds of the current time.
oauth_version	OAuth version (1.0).
xoauth_lang_pref	(optional) The language preference of the User; the default value is EN-US. For further details about this parameter, refer to the OAuth Extension for Specifying User Language Preference.
oauth_callback	Yahoo redirects Users to this URL after they authorize access to their private data. If your application does not have access to a browser, you must specify the callback as oob (out of bounds).

request token是用来完成用户认证时需要传入的临时token，通过consumer key来获得。

返回值

Request Parameter	Description
oauth_token_secret	The secret associated with the Request Token, provided in hexstring format.
oauth_expires_in	The lifetime of the Request Token in seconds. The default number is 3600 seconds, or one hour.
xoauth_request_auth_url	The URL to the Yahoo authorization page.
oauth_token	The Request Token that Yahoo returns as a response to therequest_token call. The Request Token is required during the User authorization process.
oauth_callback_confirmed=true	This parameter confirms that you are using OAuth 1.0 Rev. A. This parameter is always set to true.

步骤3. 用户登录授权

拿到request token之后，应用提供给用户yahoo的授权页面，用户通过该页面客户授予应用访问他在yahoo上数据的权限

如下图所示：

如果用户没有登录的话，会先弹出登录界面；

请求参数

Request Parameter	Description
oauth_token	The Request Token that Yahoo returns as a response to the request_token
call. The Request Token is required during the User authorization process.

下面的参数会添附在获取request token的时候传入的回调地址后面

Callback URL Parameter	Description
oauth_token	The Request Token that Yahoo returns as a response to the get_request_token call. It is appended to the authorization page URL. The Request Token is required during the User authorization process.
oauth_verifier	The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the oauth_callback is set to oob in Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually.

Callback URL Parameter

Description

oauth_token

The Request Token that Yahoo returns as a response to the get_request_token call. It is appended to the authorization page URL. The Request Token is required during the User authorization process.

oauth_verifier

The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the oauth_callback is set to oob in Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually.

如下图所示：

yahoo认证页面有两种方法展现

弹出式窗口
从web应用直接重定向到yahoo认证页

步骤4. 用request Token和oauth_verifier来换取access token

用户授权之后consumer需要将request token变换为access token

请求URL：
https://api.login.yahoo.com/oauth/v2/get_token?oauth_consumer_key=dj0yJmk9NG5USlVvTlZsZEpnJmQ9WVdrOVQwa&oauth_signature_method=PLAINTEXT&oauth_version=1.0&oauth_verifier=svmhhd&oauth_token=gugucz&oauth_timestamp=1228169662&oauth_nonce=8B9SpF&oauth_signature=5f78507cf0acc38890cf5aa697210822e90c8b1c

请求参数

Request Parameter	Description
oauth_consumer_key	Consumer Key provided to you when you signed up.
oauth_signature_method	The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
oauth_nonce	A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce))
oauth_signature	The concatenated Consumer Secret and Token Secret separated by an "&" character. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. If using HMAC-SHA1, refer to [OAuth Core 1.0 Spec, Section 9.2]http://oauth.net/core/1.0#anchor16). For more information about signing requests, refer toSigning Requests to Yahoo.
oauth_timestamp	Current timestamp of the request. This value must be +-600 seconds of the current time.
oauth_verifier	The OAuth Verifier is a verification code tied to the Request Token.
oauth_version	OAuth version (1.0).
oauth_token	The Request Token, which is required during the User authorization process and is short enough for the end User to easily enter. The Request Token is provided in the response to the get_request_token

请求URL：
oauth_token=A%3DqVDHXBngo1tEtzox.JMhzd91Rk99.39Al7hos3J80mm1j
&oauth_token_secret=c5a9684d3a3aa22aa051308987219efb8d6982fc
&oauth_expires_in=3600
&oauth_session_handle=AKVdNElJthnrHDwnYDuj6fJ2ayRbJvkePz9AKwi9dQAfb4bd
&oauth_authorization_expires_in=919314350
&xoauth_yahoo_guid=DKXSX6Q5TA5SVNARZLUJU5AW7A

返回值

Response Parameter	Description
oauth_token	The Access Token provides access to protected resources accessible through Yahoo Web services.
oauth_token_secret	The secret associated with the Access Token provided in hexstring format.
oauth_session_handle	The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires.
oauth_expires_in	Lifetime of the Access Token in seconds (3600, or 1 hour).
oauth_authorization_expires_in	Lifetime of the oauth_session_handle in seconds.
xoauth_yahoo_guid	The introspective GUID of the currently logged in User. For more information of the GUID, see the [Yahoo Social API Reference]https://developer.yahoo.com/social/rest_api_guide/introspective-guid-resource.html).

获得access token之后就可以访问yahoo的服务（如果是用弹出式窗口的方式提供用户授权的话，那么获取到access token之后确保关闭弹出窗口）

步骤5. 刷新access Token

access token一个小时后失效，继续访问的话需要更新access token
请求URL：
https://api.login.yahoo.com/oauth/v2/get_token?oauth_nonce=ef3a091928d5491624c0ac54d697124422705091&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=55d4cf6bf417023ce5dcc3b77132fb021cd13b21abcdef%26&oauth_version=1.0&oauth_token=AJwxz0eyXRa._q0xKlggmMSpQzYjOZyqApyhHybqPzCsDr0-&oauth_timestamp=1204762971&oauth_session_handle=ALKVBsl8DHR1rsAHSwTmAxYIsIGs3l31syRaA_aaF.RDs.MknmVM4P

请求参数

Request Parameter	Description
oauth_nonce	A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce))
oauth_consumer_key	Consumer Key provided to you when you sign up on the egistration page.
oauth_signature_method	The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
oauth_signature	The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo.
oauth_timestamp	Current timestamp of the request. This value must be +-600 seconds of the current time.
oauth_version	OAuth version (1.0).
oauth_token	The expired Access Token.
oauth_session_handle	The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires.

返回值

Response Parameter	Description
oauth_nonce	A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce))
oauth_consumer_key	Consumer Key provided to you when you sign up on the registration page.
oauth_signature_method	The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1.
oauth_signature	The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo.