Sina Weibo Open Platform oauth authorization solution (including code)

A friend needs to use the Sina Weibo interface in his project a few days ago. Therefore, he and his friend studied the information provided on the Sina Weibo open platform, first, you need to use these interfaces to log on and authorize users. The Sina Weibo open platform actually provides two authorization methods. The first one is:Oauth authorization method, The second is:HTTP common authentication methodWe used the first method for authorization. However, we encountered many problems during the implementation process. I think the open platform for Sina Weibo is still representative, so I shared my experience, download my demo.

Oauth is an international authorization method,It does not require the user to enter the user name and password in a third-party application.So the security is very high, so the flowchart of oauth authorization in Sina Weibo's open platform is as follows:

In factProgramStep 4:

1. Obtain the request token.

2. user authentication.

3. Obtain the access token.

4. obtain user information.

In the process of oauth authorization, I also encountered several common problems in the Sina Open Platform Forum. Here I will summarize my ideas and solutions:

1. Callback problem during requesttoken.

2. error 401.

3. Error 403.

4. Error 500.

5. Unauthorized error.

By the way, you must apply for an application to call the Sina Weibo interface. After the application is successfully applied, you will get an app key number and app secret number, we also need to use these two parameters to request authorization. In addition, there is an oauthbase download on the Internet, but we need to download the corresponding version, which is also available in my demo.CodeIs In The oauthbase. CS file.

1. Get the request token:

Directly run the Code:

Public void getrequesttoken () {URI uri = new uri (requesttokenuri); string nonce = oauth. generatenonce (); // obtain randomly generated strings to prevent string timestamp = oauth attacks. generatetimestamp (); // The timestamp string normalizeurl, normalizedrequestparameters that initiates the request; // The signature string Sig = oauth. generatesignature (Uri, apikey, apikeysecret, String. empty, String. empty, "get", timestamp, nonce, String. empty, out normalizeurl, out normalizedreq Uestparameters); Sig = httputility. urlencode (SIG); // construct the request token URL stringbuilder sb = new stringbuilder (URI. tostring (); sb. appendformat ("? Oauth_consumer_key = {0} & ", apikey); sb. appendformat ("oauth_nonce = {0} &", Nonce); sb. appendformat ("oauth_signature = {0} &", sig); sb. appendformat ("oauth_signature_method = {0} &", "HMAC-SHA1"); sb. appendformat ("oauth_timestamp = {0} &", timestamp); sb. appendformat ("oauth_version = {0}", "1.0"); // request token httpwebrequest request = (httpwebrequest) webrequest. create (sb. tostring (); httpwebresponse response = (Httpwebresponse) request. getresponse (); streamreader stream = new streamreader (response. getresponsestream (), system. text. encoding. utf8); string responsebody = stream. readtoend (); stream. close (); response. close (); int rows Ts = responsebody. indexof ("oauth_token ="); int response TSS = responsebody. indexof ("& oauth_token_secret ="); Session ["oauth_token"] = responsebody. substring (partition TS + 12, partition Tss-(IN Tots + 12); Session ["oauth_token_secret"] = responsebody. substring (jsontss + 20), responsebody. length-(required TSS + 20); response. redirect (Authorize + "? Oauth_token = "+ session [" oauth_token "] +" & oauth_callback = "+ request. url );}

I metError 401AndAddress Return ErrorThe error returned by the address is better solved. Generally, it is an address error, so I directly use the request. URL, so 401 error. My error is at the signature point. The initial oauthbase file is downloaded incorrectly and the latest file can be downloaded. In addition, the oauth_version parameter in the request parameter is available, A lot of values are 1.0a. It seems that this is not the case. If you change all values to 1.0, you can avoid many errors.

 

2. User Authentication:

After the request token request is successful, the platform automatically jumps to the logon page for user authentication. After the authentication is passed, the platform returns oauth_token and oauth_verifier to the specified callback, save the two parameters for the access token request. If the address is incorrect, an error is returned.

3. obtain access token:

The focus of this request is still the signature. It is necessary to sign the oauth_token and oauth_verifier returned after user authentication to be correct. Some oauthbase did not add verifier to the signature, which made me very depressed, if this is wrong, it should be reportedUnauthorizedOrError 403After the request is successful, you need to save oauth_token and oauth_token_secret again. The following code is used:

Public void getaccesstoken (string requesttoken, string oauth_verifier) {URI uri = new uri (access_token); string nonce = oauth. generatenonce (); string timestamp = oauth. generatetimestamp (); string normalizeurl, normalizedrequestparameters; // signature string Sig = oauth. generatesignature (Uri, apikey, apikeysecret, requesttoken, session ["oauth_token_secret"]. tostring (), "get", timestamp, nonce, oauth_ver Ifier, out normalizeurl, out normalizedrequestparameters); Sig = oauth. urlencode (SIG); // construct the URL stringbuilder sb = new stringbuilder (URI. tostring (); sb. appendformat ("? Oauth_consumer_key = {0} & ", apikey); sb. appendformat ("oauth_nonce = {0} &", Nonce); sb. appendformat ("oauth_timestamp = {0} &", timestamp); sb. appendformat ("oauth_signature_method = {0} &", "HMAC-SHA1"); sb. appendformat ("oauth_version = {0} &", "1.0"); sb. appendformat ("oauth_signature = {0} &", sig); sb. appendformat ("oauth_token = {0} &", requesttoken); sb. appendformat ("oauth_verifier = {0}", oauth_verifier); // request access token httpwebrequest request = (httpwebrequest) webrequest. create (sb. tostring (); httpwebresponse response = (httpwebresponse) request. getresponse (); streamreader stream = new streamreader (response. getresponsestream (), system. text. encoding. utf8); string responsebody = stream. readtoend (); stream. close (); response. close (); int rows Ts = responsebody. indexof ("oauth_token ="); int response TSS = responsebody. indexof ("& oauth_token_secret ="); int intuser = responsebody. indexof ("& user_id ="); Session ["oauth_token"] = responsebody. substring (cmdts + 12, cmdtss-(cmdts + 12); Session ["oauth_token_secret"] = responsebody. substring (intotss + 20), intuser-(intotss + 20); Session ["user_id"] = responsebody. substring (intuser + 9), responsebody. length-(intuser + 9); verify_credentials ();}

4. Obtain logon user information:

The procedure is as simple as the preceding request methods. You need to add oauth_token and oauth_token_secret to the signature. The following code is used:

Public void verify_credentials () {URI uri = new uri ("http://api.t.sina.com.cn/account/verify_credentials.xml"); string nonce = oauth. generatenonce (); string timestamp = oauth. generatetimestamp (); string normalizeurl, normalizedrequestparameters; // signature string Sig = oauth. generatesignature (Uri, apikey, apikeysecret, session ["oauth_token"]. tostring (), session ["oauth_token_secret"]. tostring (), "get ", Timestamp, nonce, String. empty, out normalizeurl, out normalizedrequestparameters); Sig = httputility. urlencode (SIG); stringbuilder sb = new stringbuilder (URI. tostring (); sb. appendformat ("? Oauth_consumer_key = {0} & ", apikey); sb. appendformat ("oauth_nonce = {0} &", Nonce); sb. appendformat ("oauth_timestamp = {0} &", timestamp); sb. appendformat ("oauth_signature_method = {0} &", "HMAC-SHA1"); sb. appendformat ("oauth_version = {0} &", "1.0"); sb. appendformat ("oauth_signature = {0} &", sig); sb. appendformat ("oauth_token = {0} &", session ["oauth_token"]. tostring (); httpwebrequest request = (httpwebrequest) webrequest. create (sb. tostring (); httpwebresponse response = (httpwebresponse) request. getresponse (); streamreader stream = new streamreader (response. getresponsestream (), system. text. encoding. utf8); string responsebody = stream. readtoend (); stream. close (); response. close (); Session ["responsebody"] = responsebody ;}

here you can obtain the user's personal information, so oauth authorization is successful. In fact, the steps are relatively simple. The main note is the signature, if the signature is incorrect, it must fail. There are some details, such as the address, version number, and request method, which can be avoided with caution. Due to time reasons, the description here is relatively simple, I hope you can communicate with each other. Here is the demo: sinaoauthsinaoauth