OAuth学习(一)
一、 概述
OAuth provides a method for clients to access server resources on
behalf of a resource owner (such as a different client or an enduser).
It also provides a process for end-users to authorize(授权给) thirdparty
access to their server resources without sharing their
credentials(证书) (typically, a username and password pair), using useragent redirections.(通过跳转向authorization_url发起请求,要附带上一步请求得到的参数)
In order for the client to access resources, it first has to obtain
permission from the resource owner. This permission is expressed in
the form of a token and matching shared-secret.The purpose of the
token (oauth_token) is to make it unnecessary for the resource owner to share its credentials with the client.Unlike the resource owner credentials,
tokens can be issued with a restricted scope and limited lifetime,
and revoked independently.
This specification consists of two parts. The first part defines a
redirection-based user-agent process for end-users to authorize
client access to their resources, by authenticating directly with the
server (服务器验证用户证书的正确性)and provisioning(提供) tokens to the client for use with the
authentication method. The second part defines a method for making
authenticated HTTP [RFC2616] requests using two sets of credentials,
one(client_credentials) identifying the client making the request, and a second(token_credentials)
identifying the resource owner on whose behalf the request is being
made.
二、术语
Client 第三方应用程序
An HTTP client (per [RFC2616]) capable of making OAuthauthenticated
requests (Section 3).
Server 服务提供商
An HTTP server (per [RFC2616]) capable of accepting OAuthauthenticated
requests (Section 3).
protected resource
An access-restricted resource that can be obtained from the
server using an OAuth-authenticated request (Section 3).
resource owner 用户
An entity capable of accessing and controlling protected
resources by using credentials to authenticate with the server.
Credentials 证书,用来标识身份
Credentials are a pair of a unique identifier and a matching
shared secret. OAuth defines three classes of credentials:
client, temporary, and token, used to identify and authenticate
the client making the request, the authorization request, and
the access grant, respectively.
Token
A unique identifier issued by the server and used by the client
to associate authenticated requests with the resource owner
whose authorization is requested or has been obtained by the
client. Tokens have a matching shared-secret that is used by
the client to establish its ownership of the token, and its
authority to represent the resource owner.
旧的术语:
The original community specification used a somewhat different
terminology that maps to this specifications as follows (original
community terms provided on left):
Consumer: client
Service Provider: server
User: resource owner
Consumer Key and Secret: client credentials
Request Token and Secret: temporary credentials
Access Token and Secret: token credentials
三、 认证流程图