OAuth Complete Manual _ domestic article

This article is mainly about OAuth certification and the major platform of the rough comparison, if there are flaws, hope please understand.

Reprint Please specify: http://www.cnblogs.com/lingyun1120/archive/2012/07/11/2585767.html

　　Preface: development objectives and Progress

The use of work on the SNS site research, the integration of multiple SNS platform, one-click Sharing. The use of leisure time to do a demo, there are many needs to improve the place, please give us a lot of advice.

At present, the basic progress is the completion of the Sina Weibo, Tencent Weibo, QQ space, Renren, happy, Douban, Sohu Weibo, NetEase micro Bo, including 8 of the main domestic web site OAuth authentication and simple API use. To this end I summed up a blog, a detailed analysis of the OAuth certification process points, as well as several major platforms comparison.

Here are the relevant UI for my demo and login to each platform for the authentication Interface (WebView).

　　

　　

OAuth Introduction

In the sharing process will inevitably take into account the user account security issues, third-party programs should not directly contact user account information, but no account information, and how to obtain the SNS platform data. OAuth solves this problem by initiating the authentication process from a third party, completing the authentication process in WebView or the browser, and obtaining access tokens in place of the account password to obtain the platform data. The OAuth protocol provides a secure, open, and easy standard for the authorization of user resources. At the same time, any third party can use the OAuth Authentication Service, and any service provider can implement its own OAuth authentication service, so OAuth is open. level of support for various platforms in China

　　

SNS	oauth1.0a	OAuth2.0	Notes
Sina Weibo	Not supported (once supported)	Support	1.0 certification has recently been waived. But 1.0 of the development documentation is still available for learning.
Tencent Weibo	Support	Support	Both support and change to 2.0
QQ Space	Not supported	Support	Moral integrity side, document clean and clear
Everyone	Not supported	Support	Everybody's got a bad document.
Happy	Support	Support	Both support and change to 2.0
Douban	Support	Not supported	Watercress in the development of the platform does not do well, look at its documents on a glance.
Sohu Weibo	Support	Not supported	Document in general, too few logo material
NetEase Weibo	Support	Support	General documentation, rich logo material

About Development Documentation

Document Address:

Sina: http://open.weibo.com/wiki/%E9%A6%96%E9%A1%B5

Space:

Http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E6%96%87%E6%A1%A3%E8%B5%84%E6%BA%90

Tencent: Http://wiki.open.t.qq.com/index.php/%E9%A6%96%E9%A1%B5

Everyone: http://wiki.dev.renren.com/wiki/%E9%A6%96%E9%A1%B5

Happy: http://open.kaixin001.com/document.php

Watercress: http://www.douban.com/service/apidoc/

Sohu: http://open.t.sohu.com/en/%E9%A6%96%E9%A1%B5

NetEase: http://open.t.163.com/wiki/index.php?title=%E9%A6%96%E9%A1%B5

The most important thing in our development is to look at the development documentation of the platform, as well as the professional level of the company or development team from the development documentation. Here are some of the best aspects of the platforms I've summed up, as well as adding some help when you use development documentation.

First of all, I think an open platform development document is more important points: OAuth document, API documentation, SDK, visual (marking) footage, return error code Description of these aspects, of course, this is from my existing development experience to choose, you can focus on other aspects of the actual situation to compare.

(btw,8 platform in the watercress document is the most primitive, and many interfaces are not open, no SDK, but the overall idea is clear, the development will not be too much confusion, so the following no longer mentioned. ）

OAuth Documentation: All documents with happy and Tencent Weibo do the best, Tencent Weibo is a clear schematic, this article is also quoted their pictures, and happy in every detail is described clearly, there will be no confusion in the development of the place. The worst is the document for everyone and Sohu, everyone is OK, but because they deal with the session key is very confusing, not clear, and there are many places in the document is not good enough, even the request parameters are not clearly listed, And Sohu is that their OAuth document is actually a link to the Internet (including the OAuth website address, a number of blog addresses), since done to do the complete. In order to be successful in the Sohu certification, I finally found the interface in the API list, found in the parameter list. Other platforms, Sina slightly better, other Dora bar.

API Documentation: Includes interface description, access rights, request address, support format, request method (Post/get), request parameter description, return result (with example), field description. The best thing to do is to be happy, in addition to these instructions, you will also give notice, call example, request parameter subdivision (API parameter, OAuth1.0 parameter, OAuth2.0 parameter). Other platforms are similar and don't repeat them.

SDK: In fact, if you do not want to know about OAuth authentication and the details of invoking the API, you can use their SDK entirely. But there are many limitations: first as Android development, some sites do not provide ANDROIDSDK (of course, you can use the Java SDK), and then many of the SDK code you do not need to use (such as everyone's payment function), directly into the SDK package will also cause the program bloated; How we need to modify some of the SDK features, reading the SDK code is also very expensive, the overall structure of the SDK for each platform is also the day difference. These sites, Sina, happy, Tencent Weibo SDK is better (later, compared with the Facebook SDK, we are all kinds of reference AH). and Sohu Most let me sad, incredibly what SDK are not ...

Visual Material: Sohu provides very rare, other platforms have a wealth of material.

Comprehensive: Happy net should be done better, for this my demo is to learn from its SDK, to the reader can go to the net himself Download SDK research, the following is about OAuth1.0 and OAuth2.0 introduction, if you already understand, please ignore it directly.

　　Part 1:oauth 1.0a OAUTH1 Certification basic steps: 　　 Obtaining an unauthorized request token (temporary credentials) requests the user to authorize the requesting token to use the authorized request token in exchange for access tokens (token Credentials) use Access Token to access or modify protected resources

schematic (from Tencent Weibo development documentation)

　　Request Signature

All OAuth requests use the same algorithm to generate (signature base string) signature Word's baseline strings and signatures.

Base string is the URL encode encoded with the HTTP method name, the request URL, and the request parameter connected with the & character. In particular, the base string is represented by the HTTP method name, followed by &, followed by the URL and access path after the URL encoding (url-encoded) and &. Next, all the request parameters include the parameters in the Post method body, sorted by the parameter name for text sorting, if the parameter name is repeated and then the parameter value for repeating item sorting, use%3d instead of the = sign, and use%26 as the delimiter between each parameter, stitching into a string.

schematic (from Tencent Weibo development documentation)

　　

　　　　

1     private static string Generatesignature (String basestring,
 2             string Consumerkeysecret, String Tokensecret) {
 3 
 4         byte[] Bytehmac = null;
 5         try {
 6             mac mac = mac.getinstance ("HmacSHA1");
 7             Secretkeyspec spec;
 8             String oauthsignature = Encode (Consumerkeysecret) + "&"
 9                     + ((Tokensecret! = null)? Encode ( Tokensecret): "");
Ten             spec = new Secretkeyspec (Oauthsignature.getbytes (), "HmacSHA1");             Mac.init (spec);             Bytehmac = mac.dofinal (Basestring.getbytes ());         (InvalidKeyException e) {             e.printstacktrace ();         (NoSuchAlgorithmException ignore) {             //Should never happen)         return new Base64encoder (). Encode (BYTEHMAC);
+     }

obtain an unauthorized request Token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

is supported temporarily

parameter name	required	introduction
oauth_consumer_key	true	api key (API key value in component information)
oauth_signature_method	true	signing method, only HMAC-SHA1
oauth_signature	true	signature value, key: API secret&
oauth_timestamp	true	timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0
oauth_nonce	true	One-time value, randomly generated 32-bit string (each request must be different)
oauth_callback	true	The browser will be redirected to this URL after the authentication is successful
oauth_version	false	version number, if complete must be 1.0
Scope	false	a space-delimited list of permissions that, if this parameter is not passed, represents the default basic permission requested. If you want to invoke extended permissions, you must pass this parameter,

Return parameters:

Name of parameter	Must-Choose	Significance
Oauth_token	True	Unauthorized Request Token
Oauth_token_secret	True	The corresponding request Token Secret
Oauth_callback_confirmed	True	Confirmation signal to Oauth_callback (True/false)

Note: Some platforms do not need to enter the scope parameter, please refer to the development documentation when developing.

1 public booleanGetrequesttoken(context context, String Callbackurl, 2 string[] permissions) throws IOException {3 B
 Undle params = new Bundle ();
 4 params.putstring ("Oauth_callback", Callbackurl); 5 if (Permissions! = null && permissions.length > 0) {6 String scope = Textutils.join (""
 , permissions);
 7 params.putstring ("Scope", scope); 8} 9 params = Util.generateurlparams (Oauth1_request_token_url, Get_method, ten params, CO
Nsumer_key, Consumer_secret, NULL); 
One String response = Util.openurl (context, Oauth1_request_token_url, get_method, params, null); if (response = = NULL) {return false;] + Bundle bundle = Util.decodeur
L (response);
String token = (string) bundle.get (Ouath_token);
String Tokensecret = (string) bundle.get (Ouath_token_secret); if (token = = NULL | | tokensecret = = NULL) {return false;] Setrequesttoken (token);
Setrequesttokensecret (Tokensecret);
return true; 28}

requesting user authorization request Token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

Name of parameter	Must-Choose	Significance
Oauth_token	True	Unauthorized request Token obtained in the previous step
Wap/client_type	False	Set user authentication interface form, PC or mobile, refer to the respective documentation

Return parameters:

Name of parameter	Must-Choose	Significance
Oauth_token	True	Token value after user authorization, same as unauthorized token value
Oauth_verifier	True	Verification Code

use authorized request token for access token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

is supported temporarily

parameter name	required	meaning
oauth_consumer_key	true	api Key
oauth_token	true	request token received in the first step
oauth_signature_method	true	signing method, only HMAC-SHA1
oauth_signature	true	signature Value (key: API secret&request Token Secret)
oauth_timestamp	true	timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0
oauth_nonce	true	one-time value, randomly generated 32-bit string to prevent replay attacks (each request must be different)
oauth_verifier	true	The verification code returned when requesting token is authorized in the previous step
oauth_version	flase	version number, if complete must be 1.0

Return parameters: