OAUTH2 Licensing and learning from Weibo APIs

Recently contacted the use of the microblogging API, incidentally understand the principle of the next OAuth2 ~

OAuth Authentication (open Authorization Licensing)

a security-certified protocol. provides a secure, open, and easy standard for the authorization of user resources. does not cause third parties to touch the user's account information.

The validation process for OAuth

now use Oauth2.0 more, The three parties involved in the process of certification and authorization include:

Service providers (such as Sina Weibo): Users use the service provider to store protected resources such as personal information, photos, videos, and contact lists.

User: The owner of the protected resource. The user holds the account number and password of the website (service provider).

A client (that is, a third-party site): A third-party app that accesses service provider resources, usually a website or app. Before the authentication process, the client will request a client identity from the service provider. use the following diagram to explain briefly :

The OAuth authorization is described in the following steps, in the order of the arrows:

(1)Request token: C applies to the service provider S for requesting tokens. The request token, which is not authorized by S, includes the corresponding key, the encryption algorithm, the timestamp of the initiating requests, the string and the version number information, and so on.

(2)Grant Request Token: This time S needs to verify the legitimacy of C (through the developer's App_key and App_secrest). s validation passes after the token is returned. This step is initiated on the app's server because it involves an app account password, so this step is transparent to the user.

(3)redirected to auth page: The browser resets the service address to the R equest token .

(4) authorize Request_token:C uses the request token to authenticate and authorize the login to S. s Check the request token, the third party C information to the user U, prompt you to choose to agree or reject this authorization.

(5)Aknowledge request_token: If you agree to authorize, issue an authorized token and direct u to the registered address of the current app. This step from the start of redirection to boot back to the registered address, C does not participate in the U authentication and authorization process, to ensure that C does not obtain the user's real account password, the authorized Request_token.

(6)redirected to Consumer: redirect to the service address in exchange for Accesstoken with Request_token .

(7)Access_token: Use the authorized token to Exchange S for Access_token. C need to initiate a request on the server, with the account password and the previous step of the token in exchange for Access_token, this step is also transparent to U. If the first two steps are let S authentication c and U, then this step is you and S re-authentication C.

Because the user browser redirects the result of the second step to the third step, it ensures that the redirect is to a legitimate address unless the user's DNS is hijacked. I was confused. After user authorization why not return directly to Access_token and need to exchange again, is estimated to be out of access_token security Considerations, There are too many possibilities at one end of the user's browser to let Accesstoken leak, the safest way is to let the third party server to obtain and keep Access_token.

(7)Grantaccess_token: use Access_token as token to access protected resources. Many times, permissions are available in a variety of categories. Access_token contains a user's authorization credentials for an app, and, to be precise,Access_token A collection of the set of permissions assigned to the user when authorized. So in this step, in addition to verifying the legality of the Access_token , the service provider also needs to judge whether the Access_token has sufficient permissions to perform the protected operation.

This is more abstract, a simple example:

There is a person U want to go to the bank to withdraw money. U have things to go to the counter, Entrust friends C to the counter.

When c went to the bank s, to S said: I want to help you to withdraw money.

S first to verify the identity of C, is a legitimate citizen.

Then S call U said: C to help you to withdraw money, you are sure, OK, enter the user name and password. U OK.

At this point, S will give a key to C, said: We do not provide automatic service, give you the key, go to the warehouse to take.

then C took the key and went to fetch the money. Give force U after taking out. U appreciate it.

This is a simple and vivid example of OAuth2, OAuth2 's goal is to ensure that users in the association of third-party sites to ensure that the user information security is not compromised, and user-friendly.

Sina Weibo API Java SDK

Weibo4j.org.json represents the parsing of JSON data.

Weibo4j.model is the encapsulation of each class of the microblogging API interface, such as the user's structure definition.

The weibo4j.http are both the HTTP request class and the Accesstoken get encapsulation.

The Weibo4j.util contains the tool classes required to request API interfaces.

Examples is an example of the use of various types of interfaces.

(1) Modify the configuration information of the config.properties. Open this file and fill in your information as follows:
client_id = (the appkey you apply for)
Client_sercret = (the app_secret you apply for)
Redirect_uri = (callback address, consistent with the network configuration, I am relatively poor, and with the client, so here is empty)

(2) put the code:

Barebonesbrowserlaunch.openurl (Oauth.authorize ("code", Args[1],args[2]));  System.out.println (Oauth.authorize ("code", Args[1],args[2]));

Modified to:

Barebonesbrowserlaunch.openurl (Oauth.authorize ("Code", "", ""));  System.out.println (Oauth.authorize ("Code", "", ""));

(3) Run the Oauth4code class, get code, that is, the user authorized login, the address bar appears on the code.

Enter the code value you just obtained and click Enter. through the acquisition of code, in exchange for Accesstoken, complete the authorization certification.

This article is mainly to clarify and summarize the certification process.

Reference article:

(1) http://www.cnblogs.com/neutra/archive/2012/07/26/2609300.html

(2) http://rsj217.diandian.com/post/2013-04-17/40050093587