This article is mainly about OAuth certification and the major platform of the rough comparison, if there are flaws, hope please understand.
Reprint Please specify: http://www.cnblogs.com/lingyun1120/archive/2012/07/11/2585767.html
Preface: development objectives and Progress
The use of work on the SNS site research, the integration of multiple SNS platform, one-click Sharing. The use of leisure time to do a demo, there are many needs to improve the place, please give us a lot of advice.
At present, the basic progress is the completion of the Sina Weibo, Tencent Weibo, QQ space, Renren, happy, Douban, Sohu Weibo, NetEase micro Bo, including 8 of the main domestic web site OAuth authentication and simple API use. To this end I summed up a blog, a detailed analysis of the OAuth certification process points, as well as several major platforms comparison.
Here are the relevant UI for my demo and login to each platform for the authentication Interface (WebView).
OAuth Introduction
In the sharing process will inevitably take into account the user account security issues, third-party programs should not directly contact user account information, but no account information, and how to obtain the SNS platform data. OAuth solves this problem by initiating the authentication process from a third party, completing the authentication process in WebView or the browser, and obtaining access tokens in place of the account password to obtain the platform data. The OAuth protocol provides a secure, open, and easy standard for the authorization of user resources. At the same time, any third party can use the OAuth Authentication Service, and any service provider can implement its own OAuth authentication service, so OAuth is open. level of support for various platforms in China
SNS |
oauth1.0a |
OAuth2.0 |
Notes |
Sina Micro-Blog |
Not supported (once supported) |
Support |
1.0 certification has recently been waived. But 1.0 of the development documentation is still available for learning. |
Tencent Micro-Blog |
Support |
Support |
Both support and change to 2.0 |
QQ Space |
Not supported |
Support |
Moral integrity side, document clean and clear |
Everyone |
Not supported |
Support |
Everybody's got a bad document. |
Happy |
Support |
Support |
Both support and change to 2.0 |
Douban |
Support |
Not supported |
Watercress in the development of the platform does not do well, look at its documents on a glance. |
Sohu Weibo |
Support |
Not supported |
Document in general, too few logo material |
NetEase Weibo |
Support |
Support |
General documentation, rich logo material |
About Development Documentation
Document Address:
Sina: http://open.weibo.com/wiki/%E9%A6%96%E9%A1%B5
Space:
Http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E6%96%87%E6%A1%A3%E8%B5%84%E6%BA%90
Tencent: Http://wiki.open.t.qq.com/index.php/%E9%A6%96%E9%A1%B5
Everyone: http://wiki.dev.renren.com/wiki/%E9%A6%96%E9%A1%B5
Happy: http://open.kaixin001.com/document.php
Watercress: http://www.douban.com/service/apidoc/
Sohu: http://open.t.sohu.com/en/%E9%A6%96%E9%A1%B5
NetEase: http://open.t.163.com/wiki/index.php?title=%E9%A6%96%E9%A1%B5
The most important thing in our development is to look at the development documentation of the platform, as well as the professional level of the company or development team from the development documentation. Here are some of the best aspects of the platforms I've summed up, as well as adding some help when you use development documentation.
First of all, I think an open platform development document is more important points: OAuth document, API documentation, SDK, visual (marking) footage, return error code Description of these aspects, of course, this is from my existing development experience to choose, you can focus on other aspects of the actual situation to compare.
(btw,8 platform in the watercress document is the most primitive, and many interfaces are not open, no SDK, but the overall idea is clear, the development will not be too much confusion, so the following no longer mentioned. )
OAuth Documentation: All documents with happy and Tencent Weibo do the best, Tencent Weibo is a clear schematic, this article is also quoted their pictures, and happy in every detail is described clearly, there will be no confusion in the development of the place. The worst is the document for everyone and Sohu, everyone is OK, but because they deal with the session key is very confusing, not clear, and there are many places in the document is not good enough, even the request parameters are not clearly listed, And Sohu is that their OAuth document is actually a link to the Internet (including the OAuth website address, a number of blog addresses), since done to do the complete. In order to be successful in the Sohu certification, I finally found the interface in the API list, found in the parameter list. Other platforms, Sina slightly better, other Dora bar.
API Documentation: Includes interface description, access rights, request address, support format, request method (Post/get), request parameter description, return result (with example), field description. The best thing to do is to be happy, in addition to these instructions, you will also give notice, call example, request parameter subdivision (API parameter, OAuth1.0 parameter, OAuth2.0 parameter). Other platforms are similar and don't repeat them.
SDK: In fact, if you do not want to know about OAuth authentication and the details of invoking the API, you can use their SDK entirely. But there are many limitations: first as Android development, some sites do not provide ANDROIDSDK (of course, you can use the Java SDK), and then many of the SDK code you do not need to use (such as everyone's payment function), directly into the SDK package will also cause the program bloated; How we need to modify some of the SDK features, reading the SDK code is also very expensive, the overall structure of the SDK for each platform is also the day difference. These sites, Sina, happy, Tencent Weibo SDK is better (later, compared with the Facebook SDK, we are all kinds of reference AH). and Sohu Most let me sad, incredibly what SDK are not ...
Visual Material: Sohu provides very rare, other platforms have a wealth of material.
Comprehensive: Happy net should be done better, for this my demo is to learn from its SDK, to the reader can go to the net himself Download SDK research, the following is about OAuth1.0 and OAuth2.0 introduction, if you already understand, please ignore it directly.
Part 1:oauth 1.0a OAUTH1 Certification basic steps: Obtaining an unauthorized request token (temporary credentials) requests the user to authorize the requesting token to use the authorized request token in exchange for access tokens (token Credentials) use Access Token to access or modify protected resources
schematic (from Tencent Weibo development documentation)
Request Signature
All OAuth requests use the same algorithm to generate (signature base string) signature Word's baseline strings and signatures.
Base string is the URL encode encoded with the HTTP method name, the request URL, and the request parameter connected with the & character. In particular, the base string is represented by the HTTP method name, followed by &, followed by the URL and access path after the URL encoding (url-encoded) and &. Next, all the request parameters include the parameters in the Post method body, sorted by the parameter name for text sorting, if the parameter name is repeated and then the parameter value for repeating item sorting, use%3d instead of the = sign, and use%26 as the delimiter between each parameter, stitching into a string.
schematic (from Tencent Weibo development documentation)
1 private static string Generatesignature (String basestring,
2 string Consumerkeysecret, String Tokensecret) {
3
4 byte[] Bytehmac = null;
5 try {
6 mac mac = mac.getinstance ("HmacSHA1");
7 Secretkeyspec spec;
8 String oauthsignature = Encode (Consumerkeysecret) + "&"
9 + ((Tokensecret! = null)? Encode ( Tokensecret): "");
Ten spec = new Secretkeyspec (Oauthsignature.getbytes (), "HmacSHA1"); Mac.init (spec); Bytehmac = mac.dofinal (Basestring.getbytes ()); (InvalidKeyException e) { e.printstacktrace (); (NoSuchAlgorithmException ignore) { //Should never happen) return new Base64encoder (). Encode (BYTEHMAC);
+ }
obtain an unauthorized request Token
Interface Address:
Supported formats: OAuth HTTP standard authentication return format
HTTP request method: Get/post
Whether you need to sign in: No
Request Parameters:
parameter name |
required |
introduction |
oauth_consumer_key |
true |
api key (API key value in component information) |
oauth_signature_method |
true |
signing method, only HMAC-SHA1 |
is supported temporarily
oauth_signature |
true |
signature value, key: API secret& |
oauth_timestamp |
true |
timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0 |
oauth_nonce |
true |
One-time value, randomly generated 32-bit string (each request must be different) |
oauth_callback |
true |
The browser will be redirected to this URL after the authentication is successful |
oauth_version |
false |
version number, if complete must be 1.0 |
Scope |
false |
a space-delimited list of permissions that, if this parameter is not passed, represents the default basic permission requested. If you want to invoke extended permissions, you must pass this parameter, |
Return parameters:
Name of parameter |
Must-Choose |
Significance |
Oauth_token |
True |
Unauthorized Request Token |
Oauth_token_secret |
True |
The corresponding request Token Secret |
Oauth_callback_confirmed |
True |
Confirmation signal to Oauth_callback (True/false) |
Note: Some platforms do not need to enter the scope parameter, please refer to the development documentation when developing.
1 public booleanGetrequesttoken(context context, String Callbackurl, 2 string[] permissions) throws IOException {3 B
Undle params = new Bundle ();
4 params.putstring ("Oauth_callback", Callbackurl); 5 if (Permissions! = null && permissions.length > 0) {6 String scope = Textutils.join (""
, permissions);
7 params.putstring ("Scope", scope); 8} 9 params = Util.generateurlparams (Oauth1_request_token_url, Get_method, ten params, CO
Nsumer_key, Consumer_secret, NULL);
One String response = Util.openurl (context, Oauth1_request_token_url, get_method, params, null); if (response = = NULL) {return false;] + Bundle bundle = Util.decodeur
L (response);
String token = (string) bundle.get (Ouath_token);
String Tokensecret = (string) bundle.get (Ouath_token_secret); if (token = = NULL | | tokensecret = = NULL) {return false;] Setrequesttoken (token);
Setrequesttokensecret (Tokensecret);
return true; 28}
requesting user authorization request Token
Interface Address:
Supported formats: OAuth HTTP standard authentication return format
HTTP request method: Get/post
Whether you need to sign in: No
Request Parameters:
Name of parameter |
Must-Choose |
Significance |
Oauth_token |
True |
Unauthorized request Token obtained in the previous step |
Wap/client_type |
False |
Set user authentication interface form, PC or mobile, refer to the respective documentation |
Return parameters:
Name of parameter |
Must-Choose |
Significance |
Oauth_token |
True |
Token value after user authorization, same as unauthorized token value |
Oauth_verifier |
True |
Verification Code |
use authorized request token for access token
Interface Address:
Supported formats: OAuth HTTP standard authentication return format
HTTP request method: Get/post
Whether you need to sign in: No
Request Parameters:
parameter name |
required |
meaning |
oauth_consumer_key |
true |
api Key |
oauth_token |
true |
request token received in the first step |
oauth_signature_method |
true |
signing method, only HMAC-SHA1 |
is supported temporarily
oauth_signature |
true |
signature Value (key: API secret&request Token Secret) |
oauth_timestamp |
true |
timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0 |
oauth_nonce |
true |
one-time value, randomly generated 32-bit string to prevent replay attacks (each request must be different) |
oauth_verifier |
true |
The verification code returned when requesting token is authorized in the previous step |
oauth_version |
flase |
version number, if complete must be 1.0 |
Return parameters: