Summary of Sina Weibo oauth Certification

Since Twitter only supports the oauth authentication method recently, major applications have switched to the oauth authentication method, and Sina Weibo's open platform will also suspend the base oauth authentication method recently.

In order to continue to use Sina Weibo's open platform, I began to study the oauth authentication method. After some time of practice, I have some experience in oauth authentication on Sina Weibo's open platform. In view of the small amount of oauth-related information on this platform on the internet, I would like to share my accumulated experience here and hope to help some people who want to use oauth to call Sina Weibo interfaces ~~

 

1. About oauth:

Compared with base oauth, oauth does not have to store users' accounts and passwords, you only need to save the user-authorized key and secret combinations to access all interface resources on the platform, during transmission, it is also possible to prevent malicious users from getting the user's account and password through packet capture analysis. (It is said that the reason why Twitter fully switched to oauth authentication is to prevent GFW from getting the accounts and passwords of some celebrities through packet capture ). For specific definitions, read the oauth specification definition: oauth specification.

 

2. Sina Weibo Open Platform:

The basic interfaces, parameters, and return formats of Sina Weibo's Open Platform refer to the Twitter mode. Of course, some other open platforms in China have largely referenced the Twitter model, so they are basically the same. To use Sina Weibo's open platform, you must first register it on its website: Sina Weibo API.

After registration, you will get the two key fields consumer key and consumer secret. Save them.

This development platform of Sina Weibo has enough documents to quickly get started with calling these interfaces. In addition to some of the more difficult interfaces, we will discuss them below.

 

3. Use oauth for Sina:

To use oauth, you must first authorize the user. Generally, the authorization process is as follows:
(1) The application sends a request to the Sina development platform to obtain the unauthorized request token and request Secret. At this time, the request Secret cannot be used for the time being and should be properly saved.

(2) Use the request token obtained in the previous step as a parameter to guide the user's browser to jump to the authorization page of Sina Weibo. The user enters this page to log on to Sina Weibo and authorize the token. If the callback address of the browser has been set to the server in (1), the user's browser will be redirected to this address, which will add a parameter: oauth_verifier, this parameter will be used later and saved properly.

(3) In the last step of the oauth authentication process, request the real token from the server and use the oauth_verifier obtained in (1), request secret, and (2) as parameters, the server returns the real access token and access secret to the Sina Weibo server, and the userid of the user in the Sina Weibo server. With the user's access token and access secret, you can freely and conveniently call the open interfaces of Sina Weibo.

 

Each call must contain the authentication information of oauth. As the authentication information of oauth, there are basically two ways to add it to the request package:

(1) The most recommended method is HTTP Authorization header. The definition of this header is defined in rfc2617.

For example:

Authorization: oauth realm = "http://photos.example.net/", oauth_consumer_key = "dpf43f3p2l4k3l03", oauth_token = "nnch734d00sl2jdk", oauth_signature_method = "HMAC-SHA1 ", oauth_signature = "TR3% 2bty81lmeyar % 2ffid0kmtya % 2fwm % 3d", oauth_timestamp = "1191242096", oauth_nonce = "signature", oauth_version = "1.0"
 

 
(2) You can also use the parameter transfer method to place the oauth parameter in the get URL or in the package content of post, just like the normal parameter,
 

 
But some special situationsIt is difficult to solve this problem.
 

 
4. oauth authentication Parameter Parsing:
 

 
As you can see above, a normal oauth authentication contains the following parameters:
 

(1) oauth_consumer_key: The conusmer key sent by Sina to you during registration, transmitted in plaintext
 

 
(2) oauth_token: the access token after the user completes the oauth authentication. in step 3 of oauth authentication, It is the request token,
 

 
 The first step is not required.This parameter
 

 
(3) oauth_signature_method: the encryption method, which providesHMAC-SHA1,RSA-SHA1,Plaintext Methods
 

 
(4) oauth_signature: string after all parameters are encrypted, including consumer secret and access secret
 

 
(5) oauth_timestamp: The request time stamp.
 

 
(6) oauth_version: an optional parameter, which is basically set to 1.0. Otherwise, an error occurs.
 

(7) oauth_nonce: Random value to prevent repeated calls
 

 
5. oauth pain points:
 

 
The above method can basically solve all interface calls. However, some methods are required to upload images that are difficult to implement.
 

 
Sina Weibo's Open Platform requires that the multipart/form-data method be used to upload images. However, when defining the oauth protocol, the Content-Type is
 

 
Application/X-WWW-form-urlencoded does not mention how to use multipart/form-data.
 

 
I can't find any part on the Internet that I mentioned uploading images using oauth on Sina Weibo's open platform. After one night's attempt and reference of Twitter's practices,
 

 
Finally foundSolution.
 

 
Basically, the content not described in the agreement must be addressed in a more intuitive way by the people. To upload images on Sina Weibo, you must use multipart/
 

Form-DataAs content-type, the oauth authentication parameter cannot be put into the form-data parameter and must be authenticated using the Authorization header.
 

 
File parameter, that isThe status parameter is added to the basestring of oauth for encryption, and the status is used as a value of FOM-data.
 

 
Upload and post images normallyWeibo.Using this simple and troublesome method, you can upload images to Sina Weibo safely.
 

 
6. Last
 

 
So far, I have successfully called the vast majority of Sina Weibo interfaces and began to cover Sohu Weibo, Netease Weibo, and other open platforms.Article, Record some classics
 

 
Verification and lessons learned.
 

 
7. References
 

[Rfc5849] E. Hammer-Lahav, Ed ."The oauth 1.0 protocol ", rfc5849

[Rfc1867]E. Nebel, L. masinter ,"Form-based file upload in HTML ", rfc1867

[Rfc2616] Fielding, R., Gettys, J, e "Hypertext Transfer Protocol -- HTTP/1.1", rfc2616

[Rfc2617] Franks, J. "HTTP Authentication: basic and digest access authentication", rfc2617

Sina Weibo Open Platform: http://open.t.sina.com.cn/wiki/index.php/Oauth