OAuth学习（一）

OAuth学习(一)

 

 

一、  概述

OAuth provides a method for clients to access server resources on

behalf of a resource owner (such as a different client or an enduser).

It also provides a process for end-users to authorize(授权给) thirdparty

access to their server resources without sharing their

credentials(证书) (typically, a username and password pair), using useragent redirections.(通过跳转向authorization_url发起请求，要附带上一步请求得到的参数)

 

In order for the client to access resources, it first has to obtain

permission from the resource owner. This permission is expressed in

the form of a token and matching shared-secret.The purpose of the

token (oauth_token) is to make it unnecessary for the resource owner to share its credentials with the client.Unlike the resource owner credentials,

tokens can be issued with a restricted scope and limited lifetime,

and revoked independently.

This specification consists of two parts. The first part defines a

redirection-based user-agent process for end-users to authorize

client access to their resources, by authenticating directly with the

server (服务器验证用户证书的正确性)and provisioning(提供) tokens to the client for use with the

authentication method. The second part defines a method for making

authenticated HTTP [RFC2616] requests using two sets of credentials,

one(client_credentials) identifying the client making the request, and a second(token_credentials) 

identifying the resource owner on whose behalf the request is being

made.

 

二、术语

Client 第三方应用程序

An HTTP client (per [RFC2616]) capable of making OAuthauthenticated

requests (Section 3).

Server 服务提供商

An HTTP server (per [RFC2616]) capable of accepting OAuthauthenticated

requests (Section 3).

protected resource

An access-restricted resource that can be obtained from the

server using an OAuth-authenticated request (Section 3).

resource owner 用户

An entity capable of accessing and controlling protected

resources by using credentials to authenticate with the server.

Credentials 证书，用来标识身份

Credentials are a pair of a unique identifier and a matching

shared secret. OAuth defines three classes of credentials:

client, temporary, and token, used to identify and authenticate

the client making the request, the authorization request, and

the access grant, respectively.

Token

A unique identifier issued by the server and used by the client

to associate authenticated requests with the resource owner

whose authorization is requested or has been obtained by the

client. Tokens have a matching shared-secret that is used by

the client to establish its ownership of the token, and its

authority to represent the resource owner.

 

旧的术语：

The original community specification used a somewhat different

terminology that maps to this specifications as follows (original

community terms provided on left):

Consumer: client

Service Provider: server

User: resource owner

Consumer Key and Secret: client credentials

Request Token and Secret: temporary credentials

Access Token and Secret: token credentials

三、      认证流程图