My understanding of OAuth 2.0
2011-04-03 03:45
267 查看
Not backward compatible
http://en.wikipedia.org/wiki/OAuthOAuth 2.0 is the next evolution of the OAuth protocol and is not
backward compatible with OAuth 1.0. OAuth 2.0 focuses on client
developer simplicity while providing specific authorization flows for
web applications, desktop applications, mobile phones, and living room
devices
不兼容,that's why it's called 2.0, that's also the first interesting thing.
第一问题是为什么这么快就有oauth2.0? -- 哥们难道是中国的查毒厂商,靠版本增加来搞噱头,吸引用户的眼球?
先看看oauth1.0在业内的使用情况。
现状
oauth1.0发布时间
2007 December
2007
June
2008 a revision
April
2010, OAuth 1.0,
IETF的RFC 2617
oauth1.0的service providers
,国内最早的是douban,随后基本上所有的social network, sina/qq weibo, kaixin, renren都是oauth1.0
Photobucket
's API
now uses OAuth for all consumer authentication
. They've got a number of apps connecting already, and public key signups.
SmugMug
supports OAuth
on its API
.
. FAQ.
App registration
.
Ma.gnolia
.
Developer Center
.
Register your app
.
88 Miles
. Developers Pages
.
thmbnl
. Developer Wiki
.
Pownce
.
API Signup and Docs
.
API Google Group
. Docs
. Federated login research.
MySpace
. Documentation
Agree2
supports OAuth. API Signup
Brightkite
API
. Docs
.
Fire Eagle
. Docs
.
Praized
. API Signup
. API Docs
(draft, better soon
). OSS code
.
Meetup.com
. Docs
.
OpenSocial
. Docs
.
Yammer
. Docs
.
GetSatisfaction
. Docs
.
Netflix
.Docs
.
Ohloh
. Docs
.
Iron Money
. Docs
.
TripIt
. Docs
.
Skydeck
. Docs
.
Yahoo!
. Docs.
Smart.fm
. Docs
.
Cliqset
. Docs
.
tarpipe
. Docs
.
EchoWaves
.
App registration
Evernote
. Docs
.
Vimeo
. Docs
.
看下oauth2.0的service provider
Dailymotion (draft 10) - http://www.dailymotion.com/doc/api/authentication.html
Microsoft Access Control System (draft 10) - http://blogs.msdn.com/b/windowsazureappfabric/archive/2010/09/16/windows-azure-appfabric-labs-september-release-now-available.aspx
Facebook's Graph API (draft 10) - http://developers.facebook.com/docs/authentication/
(see http://www.sociallipstick.com/?p=239
)
Salesforce (draft 10) - http://www.ietf.org/mail-archive/web/oauth/current/msg04391.html
Resthub open source framework for Java (draft 10) - http://bitbucket.org/ilabs/resthub/wiki/Home
Gowalla (draft 8) - http://gowalla.com/api/docs/oauth
37Signals (draft 5) - http://groups.google.com/group/37signals-api/browse_thread/thread/86b0da52134c1b7e
GitHub - http://github.com/blog/656-github-oauth2-support
Ruby oauth2-server (draft 0) - http://github.com/aflatter/oauth2-ruby
Google (draft 10) - http://code.google.com/apis/accounts/docs/OAuth2.html
Ruby rack-oauth2 (draft 13) - http://github.com/nov/rack-oauth2
The problem of oauth1.0
如果你开发过client程序,在第一次接触oauth,你会被redirect flow & signature & tokens(different types)等多种概念冲击得没有头绪,理不出重点。从client开发者角度看, oauth1.0not simple. oauth以o开头,有很多open sources的oauth client,然而即便使用这些oauth client,把access token整合到应用程序中和以往的user login flow也有很大的差别。
too many rounds
bad user experience 用户2个request/response rounds跳到授权页面(request token, redirect),在第一次获得用户的信息时,也是两个rounds(access token, resources),较之一般应用等待时间增加
not scalable
not usable for non-web browse app (non-redirection flow)。桌面端,手机端,平板电脑端是不支持redirect回到应用的,要使用oauth1.0,估计需要client自己想些trick.
除了client端,
introduction
to Oauth2.0
中提到了一个server端的问题是:
In addition, OAuth 1.0 requires that the protected resources
endpoints have access to the client credentials in order to validate
the request. This breaks the typical architecture of most large
providers in which a centralized authorization server is used for
issuing credentials, and a separate server is used for API calls.
OAuth 1.0 requires the use of both set of credentials: the client
credentials and the token credentials which makes this separation
very hard.
The target of oauth2.0
如同开头所提,oauth2.0有两个主要目标,一是简化client端的开发,二是支持更多类型的终端。在我看来,oauth2.0 具体变化主要有Distinct
oauth1.0中,authentication和authorization揉合在一起
所有的token都返回为token/secret对
使用client应用的id/secret和access_token/secret 来进行数字签名。
在oauth2.0中,secret不是(access)token的必须,而是根据具体的实现可有可无。可沿用oauth1.0中数字签名oauth mac token
,也可以使用其他安全的authentication方式,比如 oauth-saml2-bearer
(security
assertion markup language
)。oauth2.0只定义authorization相关的flow。
Simplicity
去掉了request token,省掉了第一轮请求。与request token类同的是refresh token,server可在换取access token时,同时返回refresh token。client使用refresh token来revoke access token.
对于不支持重定向返回的应用(no browerse, no url applicaion),也明确定义了authorizatio(delegation) flow
Abstraction
如果说auth1.0是对实践应用的总结与标准化,auth2.0则是进一步的提炼与抽象,去掉了具体的security concern,留下了更多的灵活性和可扩展性。
Example of Oauth2.0: Facebook oauth API
facebook oauth API定义了两种oath2.0 flow来获取用户授权(access token)
Server sdie flow
client重定向到facebook授权页面:https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri
=YOUR_URL&scope
=email,read_stream
用户登录facekbook,同意授权
可以在请求中加入scope
参数,不同范围的许可
facebook将用户重定向回(http 302)client引用:http://YOUR_URL?code
=A_CODE_GENERATED_BY_SERVER
authorziation code作为url参数返回
client使用code获取access token: https://graph.facebook.com/oauth/access_token?client_id
=YOUR_APP_ID&redirect_uri
=YOUR_URL&client_secret
=YOUR_APP_SECRET&code
=THE_CODE_FROM_ABOVE
facebook response access token
and expries
in the response body
没有繁琐的数字签名,
client应用不需要使用专门的oauth client code,client只需要将用户重定向到facebook;然后根据返回的code获取access toekn即可。下面的client side flow更加简化
Client side flow
client重定向到facebook授权页面:https://www.facebook.com/dialog/oauth?client_id=YOUR_APP_ID&redirect_uri
=YOUR_URL&scope
=email,read_stream&response_type
=token
同server side flow,在request的url参数中加入response_type=token
facebook将用户重定向回(http 302)client引用:http://YOUR_URL#access_token=166942940015970%7C2.sa0&expires_in=64090
同server side flow,不同的是返回access token在url fragment (not sure why not return as parameter?
)
从client应用的角度,将用户重定向到facebook即可获得access token,一步搞定。什么时候用server side flow,什么时候应client side flow?Facebook给出的example是javascript中使用client side flow,重定向回client server的使用server sdie flow.
Use the access token
access token使用起来也相当简单,只需要在resource url上加上access_token参数即可:https://graph.facebook.com/me?access_token=ACCESS_TOKEN
App login
app login是oauth2.0中定义的 Client Credentials Flow, 是client应用本身的一些数据和已经授权的资源的访问授权: https://graph.facebook.com/oauth/access_token?client_id =YOUR_APP_ID&client_secret
=YOUR_APP_SECRET&grant_type
=client_credentials
Desktop Apps
这类应用没法提供前文中的redirect_uri参数,facebook提供一个固定的指向fackebook自身的重定向url。client通过内嵌浏览器重定向到facebook时,可将redirect_uri设置为facebook提供的这个url。内嵌浏览器捕获redirect_uri的重定向,从url的fragment中读取access_token。
Oauth2.0
ouath2.0抛除了authentication的部分(在另外的spec根据安全方法的不同分开定义),其主体部分即第4章用户授权部分(获取access token部分)
Authorization code
(facebook 中的server side flow)
+----------+ | resource | | owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ------>| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Client Credentials, --------' | | | Authorization Code, | | Client | & Redirect URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token) Figure 3: Authorization Code Flow
Implict Grant
(facebook中的client side flow和deskapp login)
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)--- & Redirect URI ----->| | | User- | | Authorization | | Agent -|----(B)-- User authenticates -->| Server | | | | | | |<---(C)---- Redirect URI ------<| | | | with Access Token +---------------+ | | in Fragment | | +---------------+ | |----(D)---- Redirect URI ------>| Web Server | | | without Fragment | with Client | | | | Resource | | (F) |<---(E)------- Script ---------<| | | | +---------------+ +-|--------+ | | (A) (G) Access Token | | ^ v +---------+ | | | Client | | | +---------+ Figure 4: Implicit Grant Flow
client credentials
(facebook中的app login)
+---------+ +---------------+ | | | | | |>--(A)--- Client Credentials ---->| Authorization | | Client | | Server | | |<--(B)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+ Figure 6: Client Credentials Flow
Resource owner password credentials
(facebook 没给出)
+----------+ | Resource | | Owner | | | +----------+ v | (A) Password Credentials | v +---------+ +---------------+ | | Client Credentials | | | |>--(B)---- & Resource Owner ----->| | | Client | Password Credentials | Authorization | | | | Server | | |<--(C)---- Access Token ---------<| | | | (w/ Optional Refresh Token) | | +---------+ +---------------+ Figure 5: Resource Owner Password Credentials Flow
Reference
http://tools.ietf.org/html/draft-ietf-oauth-v2-13http://developers.facebook.com/docs/authentication/ https://github.com/dgouldin/python-oauth2
http://oauth.net/2/
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- My understanding of OAuth 1.0
- AS.NET2.0 用户控件错误!!The base class includes the field 'MyControl_1', but its type (MyControl) is not compatible with the type of control (ASP.MyControl_ascx).
- my understanding of (lower bound,upper bound) binary search, in C++, thanks to two post
- A Windows Phone 7 Twitter Application : Part 1 of 2 (Understanding oAuth)
- The core of cloud computing in my understanding
- My Understanding of MQSeries
- My understanding of Enum(enumerate)
- My priliminary understanding of the relationship between virtual address and physical memory address
- A Comprehensive Formal Security Analysis of OAuth 2.0
- My understanding of Object Oriented C++
- My Understanding of MFC serialization
- Struts2.0: My First Example
- Understanding the difficulty of training deep feedforward neural networks
- Selenium2.0 Webdriver - Element can be click when out of view
- My first day of practical training
- Can I open Explorer in the C:\ drive instead of the My Computer view?
- 理解OAuth 2.0 -摘自网络
- ship_confirm API of my test script
- The Github Repo of My Personal Website JOSHUA's BLOG