OAuth Complete Manual _ domestic article

Source: Internet
Author: User
Tags comparison manual error code hmac http request integer oauth account security

This article is mainly about OAuth certification and the major platform of the rough comparison, if there are flaws, hope please understand.

Reprint Please specify: http://www.cnblogs.com/lingyun1120/archive/2012/07/11/2585767.html

  Preface: development objectives and Progress

The use of work on the SNS site research, the integration of multiple SNS platform, one-click Sharing. The use of leisure time to do a demo, there are many needs to improve the place, please give us a lot of advice.

At present, the basic progress is the completion of the Sina Weibo, Tencent Weibo, QQ space, Renren, happy, Douban, Sohu Weibo, NetEase micro Bo, including 8 of the main domestic web site OAuth authentication and simple API use. To this end I summed up a blog, a detailed analysis of the OAuth certification process points, as well as several major platforms comparison.

Here are the relevant UI for my demo and login to each platform for the authentication Interface (WebView).

  

  

OAuth Introduction

In the sharing process will inevitably take into account the user account security issues, third-party programs should not directly contact user account information, but no account information, and how to obtain the SNS platform data. OAuth solves this problem by initiating the authentication process from a third party, completing the authentication process in WebView or the browser, and obtaining access tokens in place of the account password to obtain the platform data. The OAuth protocol provides a secure, open, and easy standard for the authorization of user resources. At the same time, any third party can use the OAuth Authentication Service, and any service provider can implement its own OAuth authentication service, so OAuth is open. level of support for various platforms in China

  

SNS

oauth1.0a

OAuth2.0

Notes

Sina Weibo

Not supported (once supported)

Support

1.0 certification has recently been waived. But 1.0 of the development documentation is still available for learning.

Tencent Weibo

Support

Support

Both support and change to 2.0

QQ Space

Not supported

Support

Moral integrity side, document clean and clear

Everyone

Not supported

Support

Everybody's got a bad document.

Happy

Support

Support

Both support and change to 2.0

Douban

Support

Not supported

Watercress in the development of the platform does not do well, look at its documents on a glance.

Sohu Weibo

Support

Not supported

Document in general, too few logo material

NetEase Weibo

Support

Support

General documentation, rich logo material

About Development Documentation

Document Address:

Sina: http://open.weibo.com/wiki/%E9%A6%96%E9%A1%B5

Space:

Http://wiki.opensns.qq.com/wiki/%E3%80%90QQ%E7%99%BB%E5%BD%95%E3%80%91%E6%96%87%E6%A1%A3%E8%B5%84%E6%BA%90

Tencent: Http://wiki.open.t.qq.com/index.php/%E9%A6%96%E9%A1%B5

Everyone: http://wiki.dev.renren.com/wiki/%E9%A6%96%E9%A1%B5

Happy: http://open.kaixin001.com/document.php

Watercress: http://www.douban.com/service/apidoc/

Sohu: http://open.t.sohu.com/en/%E9%A6%96%E9%A1%B5

NetEase: http://open.t.163.com/wiki/index.php?title=%E9%A6%96%E9%A1%B5

The most important thing in our development is to look at the development documentation of the platform, as well as the professional level of the company or development team from the development documentation. Here are some of the best aspects of the platforms I've summed up, as well as adding some help when you use development documentation.

First of all, I think an open platform development document is more important points: OAuth document, API documentation, SDK, visual (marking) footage, return error code Description of these aspects, of course, this is from my existing development experience to choose, you can focus on other aspects of the actual situation to compare.

(btw,8 platform in the watercress document is the most primitive, and many interfaces are not open, no SDK, but the overall idea is clear, the development will not be too much confusion, so the following no longer mentioned. )

OAuth Documentation: All documents with happy and Tencent Weibo do the best, Tencent Weibo is a clear schematic, this article is also quoted their pictures, and happy in every detail is described clearly, there will be no confusion in the development of the place. The worst is the document for everyone and Sohu, everyone is OK, but because they deal with the session key is very confusing, not clear, and there are many places in the document is not good enough, even the request parameters are not clearly listed, And Sohu is that their OAuth document is actually a link to the Internet (including the OAuth website address, a number of blog addresses), since done to do the complete. In order to be successful in the Sohu certification, I finally found the interface in the API list, found in the parameter list. Other platforms, Sina slightly better, other Dora bar.

API Documentation: Includes interface description, access rights, request address, support format, request method (Post/get), request parameter description, return result (with example), field description. The best thing to do is to be happy, in addition to these instructions, you will also give notice, call example, request parameter subdivision (API parameter, OAuth1.0 parameter, OAuth2.0 parameter). Other platforms are similar and don't repeat them.

SDK: In fact, if you do not want to know about OAuth authentication and the details of invoking the API, you can use their SDK entirely. But there are many limitations: first as Android development, some sites do not provide ANDROIDSDK (of course, you can use the Java SDK), and then many of the SDK code you do not need to use (such as everyone's payment function), directly into the SDK package will also cause the program bloated; How we need to modify some of the SDK features, reading the SDK code is also very expensive, the overall structure of the SDK for each platform is also the day difference. These sites, Sina, happy, Tencent Weibo SDK is better (later, compared with the Facebook SDK, we are all kinds of reference AH). and Sohu Most let me sad, incredibly what SDK are not ...

Visual Material: Sohu provides very rare, other platforms have a wealth of material.

Comprehensive: Happy net should be done better, for this my demo is to learn from its SDK, to the reader can go to the net himself Download SDK research, the following is about OAuth1.0 and OAuth2.0 introduction, if you already understand, please ignore it directly.

  Part 1:oauth 1.0a OAUTH1 Certification basic steps:    Obtaining an unauthorized request token (temporary credentials) requests the user to authorize the requesting token to use the authorized request token in exchange for access tokens (token Credentials) use Access Token to access or modify protected resources

schematic (from Tencent Weibo development documentation)

  Request Signature

All OAuth requests use the same algorithm to generate (signature base string) signature Word's baseline strings and signatures.

Base string is the URL encode encoded with the HTTP method name, the request URL, and the request parameter connected with the & character. In particular, the base string is represented by the HTTP method name, followed by &, followed by the URL and access path after the URL encoding (url-encoded) and &. Next, all the request parameters include the parameters in the Post method body, sorted by the parameter name for text sorting, if the parameter name is repeated and then the parameter value for repeating item sorting, use%3d instead of the = sign, and use%26 as the delimiter between each parameter, stitching into a string.

schematic (from Tencent Weibo development documentation)

  

    

1     private static string Generatesignature (String basestring,
 2             string Consumerkeysecret, String Tokensecret) {
 3 
 4         byte[] Bytehmac = null;
 5         try {
 6             mac mac = mac.getinstance ("HmacSHA1");
 7             Secretkeyspec spec;
 8             String oauthsignature = Encode (Consumerkeysecret) + "&"
 9                     + ((Tokensecret! = null)? Encode ( Tokensecret): "");
Ten             spec = new Secretkeyspec (Oauthsignature.getbytes (), "HmacSHA1");             Mac.init (spec);             Bytehmac = mac.dofinal (Basestring.getbytes ());         (InvalidKeyException e) {             e.printstacktrace ();         (NoSuchAlgorithmException ignore) {             //Should never happen)         return new Base64encoder (). Encode (BYTEHMAC);
+     }

obtain an unauthorized request Token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

is supported temporarily
parameter name required introduction
oauth_consumer_key true api key (API key value in component information)
oauth_signature_method true signing method, only HMAC-SHA1
oauth_signature true signature value, key: API secret&
oauth_timestamp true timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0
oauth_nonce true One-time value, randomly generated 32-bit string (each request must be different)
oauth_callback true The browser will be redirected to this URL after the authentication is successful
oauth_version false version number, if complete must be 1.0
Scope false a space-delimited list of permissions that, if this parameter is not passed, represents the default basic permission requested.
If you want to invoke extended permissions, you must pass this parameter,

Return parameters:

Name of parameter Must-Choose Significance
Oauth_token True Unauthorized Request Token
Oauth_token_secret True The corresponding request Token Secret
Oauth_callback_confirmed True Confirmation signal to Oauth_callback (True/false)

Note: Some platforms do not need to enter the scope parameter, please refer to the development documentation when developing.

1 public booleanGetrequesttoken(context context, String Callbackurl, 2 string[] permissions) throws IOException {3 B
 Undle params = new Bundle ();
 4 params.putstring ("Oauth_callback", Callbackurl); 5 if (Permissions! = null && permissions.length > 0) {6 String scope = Textutils.join (""
 , permissions);
 7 params.putstring ("Scope", scope); 8} 9 params = Util.generateurlparams (Oauth1_request_token_url, Get_method, ten params, CO
Nsumer_key, Consumer_secret, NULL); 
One String response = Util.openurl (context, Oauth1_request_token_url, get_method, params, null); if (response = = NULL) {return false;] + Bundle bundle = Util.decodeur
L (response);
String token = (string) bundle.get (Ouath_token);
String Tokensecret = (string) bundle.get (Ouath_token_secret); if (token = = NULL | | tokensecret = = NULL) {return false;] Setrequesttoken (token);
Setrequesttokensecret (Tokensecret);
return true; 28}
requesting user authorization request Token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

Name of parameter Must-Choose Significance
Oauth_token True Unauthorized request Token obtained in the previous step
Wap/client_type False Set user authentication interface form, PC or mobile, refer to the respective documentation

Return parameters:

Name of parameter Must-Choose Significance
Oauth_token True Token value after user authorization, same as unauthorized token value
Oauth_verifier True Verification Code
use authorized request token for access token

Interface Address:

Supported formats: OAuth HTTP standard authentication return format

HTTP request method: Get/post

Whether you need to sign in: No

Request Parameters:

is supported temporarily
parameter name required meaning
oauth_consumer_key true api Key
oauth_token true request token received in the first step
oauth_signature_method true signing method, only HMAC-SHA1
oauth_signature true signature Value (key: API secret&request Token Secret)
oauth_timestamp true timestamp, whose value is the number of seconds from 1970 00:00:00 GMT, must be an integer greater than 0
oauth_nonce true one-time value, randomly generated 32-bit string to prevent replay attacks (each request must be different)
oauth_verifier true The verification code returned when requesting token is authorized in the previous step
oauth_version flase version number, if complete must be 1.0

Return parameters:

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.