Principle of third-party login
Abstract: OAUTH protocol provides a secure authorized user resources, open but simple standard. Conventional License difference is OAUTH authorized third party does not make accessible to account information (such as user name and password), that a third party without the use of user name and password that the user can apply for resources Authorizations, OAUTH is safe. At the same time, any third party can use OAUTH authentication service, any service provider can achieve their own OAUTH certification services, thus OAUTH is open. OAUTH industry provides multiple implementations such as PHP , JavaScript , the Java , Ruby and other language development kits, saves time programmer, so OAUTH is simple. Many current Internet service such as Open API, a lot of the bulk of companies such as Google, Yahoo, Microsoft and so provides OAUTH certification services, which are sufficient to show OAUTH becoming the standard open-source authorization standards.
A, OAUTH generated background
Typical case: If a user has two services: a service pictures online storage service is A, the other is a picture online print services B. As shown below. Since the service A and B services are provided by two different service providers, so that users on both the service provider's website each registered two users, assuming that two different user name, password, also each Not the same. When the user wants to use the service when the service is stored in the B print pictures on A, the user how to deal with? Act One: pictures to be printed first user may download from the service A and upload it to the print service B, but in this way secure process more cumbersome, inefficient; Act II: The user registered on the service A user name and passwords to the service B, B service using the user's account to go to services at a download pictures to be printed, in this way efficiency is improved, but security is greatly reduced, and the service user B can use the user name and password to a view on service and even tampering with the user's resources.
Through the official website: HTTP: // oauth the .NET can read more information.
Two, OAUTH Profile
In the official website home page, you can see below this introduction:
An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.
Probably it means that OAUTH is an open protocol that provides a simple, standard way for desktop application or web-based application to access the BS API services that require user authorization. OAUTH like Flickr Auth, Google's AuthSub, Yahoo's BBAuth, Facebook Auth and so on. OAUTH certificate authority has the following characteristics:
1. Simple: whether OAUTH service provider or application developer, are easy to understand and use;
2. Security: not relate to key information such as user, safer and more flexible;
3. Open: any service provider can achieve OAUTH, any software developer can use OAUTH;
Three, OAUTH related terms
Prior to clear OAUTH process, we first understand some definitions of terms under OAUTH of:
- OAUTH three related URL:
- Request Token URL: gain unauthorized Request Token service address;
- User Authorization URL: get the user authorized Request Token service address;
- Access Token URL: Access Token exchange service addresses authorized Request Token;
- OAUTH related parameters are defined:
- oauth_consumer_key: user ID, user OAUTH direct services is the developer developed applications. So get the parameter value is generally going to OAUTH service provider to register an application, and then get oauth_consumer_key the application. As the value of Yahoo registered address is: https://developer.yahoo.com/dashboard/
- oauth_consumer_secret: oauth_consumer_key corresponding key.
- oauth_signature_method: request string signature method, the application sends a request to every three OAUTH service address, you must sign the request. Method signatures are: HMAC-SHA1, RSA-SHA1 and PLAINTEXT three.
- oauth_signature: signature to the request using the above signature method.
- oauth_timestamp: initiating a time stamp request, whose value is the number of seconds from 1970 00:00:00 GMT, and must be an integer greater than 0. This request must be greater than or equal to the timestamp of the last timestamp.
- oauth_nonce: randomly generated string that is used to prevent replay request, to prevent illegal attacks outside.
- oauth_version: OAUTH version number, optional, the value must be 1.0.
OAUTH HTTP response code:
- HTTP 400 Bad Request request errors
- Unsupported parameter parameter error
- Unsupported signature method signature method error
- Missing required parameter parameter is missing
- Duplicated OAuth Protocol Parameter Parameter Repetitive
- HTTP 401 Unauthorized Unauthorized
- Invalid Consumer Key 非法key
- Invalid / expired Token failure or illegal token
- Invalid signature signature illegal
- Invalid / used nonce illegal nonce
Four, OAUTH authentication and authorization process
After OAUTH clear terms, we can conduct a preliminary understanding of OAUTH authentication and authorization processes. In fact, simple terms, OAUTH authentication and authorization on the three steps can be summarized in three sentences:
1. Obtain an unauthorized Request Token
2. Get authorized users Request Token
3. Authorized Access Token Request Token exchange
When the application to get the Access Token, you can have access to authorized users of the resource. Willing to be seen, not that correspond to the three steps OAUTH three service URL address thing. Exactly, the above three steps, each step respectively a URL request, and receive information, and to get information on the request to the next step until the URL to get Access Token. Specific steps as shown below:
DETAILED execution information of each step is as follows:
A. user (third party software) request unauthorized Request Token to OAUTH service provider. Initiates a request to Request Token URL, request parameters shown above need tape.
B. OAUTH service provider agreed to the request of the user, and it issues oauth_token corresponding oauth_token_secret without the user's authorization, and returned to the user.
C. user requesting user authorization to OAUTH Request Token service provider. URL initiates a request to User Authorization, the request to bring the unauthorized key step to get its token.
D. OAUTH ISP will guide the user authorization. This procedure may prompt the user, what you want to authorize a protected resource to the application. This step may return authorized Request Token may not return. Such as Yahoo OAUTH will not return any information to the user.
After E. Request Token authorized users will initiate Access Token URL request, the authorized Request Token exchange step into the Access Token. Request parameters shown above, this parameter is more than the first step Request Token A.
F. OAUTH service provider agreed to a user's request, and issued its Access Token and the corresponding key, and returns to the user.
G. After the user can use the step return Access Token authorized users access resources.
As can be seen from the above steps, the user will never provide information such as their user name and password to the user (third party software), and thus more secure. Achieve a background in the typical case with OAUTH: after when the service B (Print Services) to access a user's service A (photo service), without the user requesting authorization to Request Token Service A mechanism by OAUTH, service B, service a direct users to log in on the website service a, and asks the user whether the picture service licensed to the service B. After the user agrees that the service can access user B on the service A picture service. The whole process B did not touch the service account information of the user A in the service. As shown below, the letter corresponding to FIG OAUTH process letters:
Five, OAUTH ISP
OAUTH standards proposed up to now less than two years, but a great success. Not only offers a variety of repository languages, and even Google, Yahoo, Microsoft, etc. have achieved the bulk of the Internet OAUTH agreement. Because there are many OAUTH the client package, so we have no need to write your own, create the wheel to avoid duplication, take over the direct use on the line. I use these libraries to access Yahoo OAUTH service, very good oh! Here's some pictures posted under sharing with everyone!
The figure is OAUTH service providers guide the user login (if the user is not logged begin)
The figure is to prompt the user to be licensed to third-party applications, whether the consent of the page
The following figure prompts the user has successfully authorized
Some service providers not only just realized the function on OAUTH agreement also provides some more friendly services, such as third-party software license management service. YAHOO management software is licensed under the map page, users are authorized to cancel certain applications.
