How third-party logins work

Absrtact: The OAuth protocol provides a secure, open, and easy standard for the authorization of user resources. Unlike previous licensing methods, OAuth's authorization does not allow a third party to touch the user's account information (such as a user name and password), which means that the third party can request authorization for the user's resources without using the user's username and password, so OAuth is secure. At the same time, any third party can use the OAuth Authentication Service, and any service provider can implement its own OAuth authentication service, so OAuth is open. OAuth is simple because the industry provides many implementations of OAuth, such as various language development packages, which greatly save programmers time. At present, many Internet services such as Open API, many big head companies such as Google,yahoo,microsoft and so on have provided OAuth authentication service, these are enough to explain the OAuth standard gradually become the standard of open resources authorization.

I. Background of OAuth generation

Typical case: If a user has two services: a service is a picture online storage service A, and the other is picture online printing service B. As shown in. Since service A and service B are provided by two different service providers, the user has registered two users on each of the two service providers ' websites, assuming that the two usernames are different and the passwords are different. What should users do when they want to print a picture stored on service a using service B? Law one: The user may first download the picture to be printed from service A and upload to the service B print, this method is safe but the processing is cumbersome, inefficient; Law II: The user will be registered on the service a user name and password to service B, service B Use the user's account and then go to service A to download the pictures to be printed, The efficiency of this method is improved, but the security is greatly reduced, and service B can use the user's username and password to service A to view or even tamper with the user's resources.

Many companies and individuals are trying to solve such problems, including Google, Yahoo, Microsoft, which also prompted the creation of the OAuth project team. OAuth was co-sponsored by Blaine Cook, Chris Messina, Larry Halff and David Recordon to provide an open standard for API access authorization. Version 1.0 of the OAuth specification was released on December 4, 2007. Through the official website: You can read more relevant information.

Ii. introduction of OAuth

On the homepage of the official website, you can see the following introduction:

An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.< /c1>

It probably means that OAuth is an open protocol that provides a simple, standard way to access API services that require user authorization for desktop applications or BS-based web apps. OAuth is similar to Flickr Auth, Google's authsub, Yahoo's Bbauth, Facebook Auth, and more. OAuth Authentication Authorization has the following characteristics:

1. Simple: Whether it is an OAuth service provider or an application developer, it is easy to understand and use;

2. Security: Not related to user keys and other information, more secure and more flexible;

3. Open: Any service provider can implement OAuth, and any software developer can use OAuth;

Third,OAuth-related terminology

Before we figure out the OAuth process, let's look at some of the definitions of the following OAuth terms:

• OAuth-related three URLs:
  • Request Token URL: Obtain an unauthorized request token service address;
  • User Authorization URL: Gets the request token service address authorized by users;
  • Access token URL: The service address of access token in exchange for the authorized request token;

• OAuth-related parameter definitions:
  • Oauth_consumer_key: The direct user of the user's Id,oauth service is an application developed by the developer. So the value of this parameter is usually obtained by registering an application with the OAuth service provider and then obtaining the Oauth_consumer_key of the application. For example, Yahoo! The registered address for this value is
  • Oauth_consumer_secret:oauth_consumer_key the corresponding key.
  • Oauth_signature_method: The signature method of the request string, and the application must sign the request each time it sends a request to the OAuth three service address. Signature methods are: HMAC-SHA1, RSA-SHA1 and plaintext, such as three kinds.
  • Oauth_signature: Signature of the request with the above signature method.
  • Oauth_timestamp: The timestamp of the originating request, whose value is the number of seconds from 1970 00:00:00 GMT, which must be an integer greater than 0. The timestamp for this request must be greater than or equal to the last timestamp.
  • Oauth_nonce: A randomly generated string that prevents requests from being replayed and prevents illegal attacks from outside.
  • The version number of the Oauth_version:oauth, optional, whose value must be 1.0.

OAUTH HTTP Response code:

• HTTP/Request Error
  • Unsupported parameter parameter error
  • Unsupported Signature method Signature methods error
  • Missing required parameter parameter missing
  • Duplicated OAuth Protocol Parameter parameter repetition
• HTTP 401 Unauthorized Not authorized
  • Invalid Consumer key Illegal key
  • Invalid/expired token invalidation or illegal token
  • Invalid Signature signature is illegal
  • Invalid/used the illegitimate nonce of the nonce

Iv. OAuth Authentication Authorization process

After we have figured out the terms of OAuth, we can make a preliminary understanding of the OAuth authentication authorization process. In fact, in simple terms, OAuth authentication authorization is three steps, three sentences can be summed up:

1. Obtaining an unauthorized request Token

2. Get user-Authorized request Token

3. Exchanging authorized request tokens for access tokens

When the app gets access token, it can have access to the user's authorized resources. As you can see, these three steps are not the three URL service addresses that correspond to OAuth. That's right, in the three steps above, each step asks for a URL, receives the relevant information, and gets the relevant information from the previous step to request the next URL until it gets access Token. The specific steps are as follows:

Each step of execution information is as follows:

A. The user (third-party software) requests an unauthorized request Token from the OAuth service provider. Requests are made to the request Token URL, and requests need to be taken with the parameters shown.

B. The OAuth service provider agrees with the user's request and issues the Oauth_token with the corresponding Oauth_token_secret, and returns it to the consumer without authorization.

C. The user requests a request Token from the OAuth service provider for authorization. Initiates a request to the user Authorization URL, requesting an unauthorized token and its key with the previous step.

D. The OAuth service provider will direct the user to authorize. The process may prompt the user about which protected resources you want to authorize to the app. This step may return an authorized request token or may not be returned. such as Yahoo! OAuth will not return any information to the user.

E. Upon authorization of request token, the user initiates a request to the access token URL, which will be exchanged for access token with the authorized request token. Request parameters See, this is more than the first step a parameter is the request Token.

F. The OAuth service provider agrees with the user's request and issues access token with the corresponding key and returns it to the consumer.

G. Users can access user-authorized resources later using the access token returned by the previous step.

As you can see from the above steps, users never provide information such as their user name and password to consumers (third-party software), which makes them more secure. A typical case in the background section with OAuth: when service B (print service) wants to access a user's service A (picture service), by using the OAuth mechanism, service B requests a request token that is not authorized by the user to service a, and service a directs the user to log on to service A's website, and asks the user if the picture service is licensed to service B. After the user agrees, service B can access the user's image service on service A. The entire process service B does not touch the user's account information in service A. As shown, the letters in the figure correspond to the letters in the OAuth process:

V. OAuth Service Providers

The OAuth standard has been proposed for less than two years, but it has been a great success. Not only provides a variety of language version of the library, and even google,yahoo,microsoft and so on the Internet has implemented the OAuth protocol. Since OAuth has a lot of client packages, there is no need to write on our own, avoid repeating the wheel, and just take it with you. I used these libraries to access the Yahoo OAuth service, very good! Here are some pictures to share with you!

is the OAuth service provider that directs the user to log in (if the user starts without logging in)

Is the page that prompts the user to grant permission to a third-party app

Information prompting the user for authorization to succeed

Some service providers not only implement the OAuth protocol functionality, but also provide some more friendly services, such as the licensing services for managing third-party software. is the Yahoo Management software licensing page, users can cancel the authorization of some applications.

How third-party logins work