OAuth 1.0
为了方便自己看文档而做的一些标记性翻译,留给自己以后需要时查看,可能不太准确。不太重要的,关于文档的部分被删掉了。
-------------------以下是简介-------------------------
Introduction
The OAuth protocol was originally created by a small community of web
developers from a variety of websites and other Internet services who
wanted to solve the common problem of enabling delegated access to
protected resources. The resulting OAuth protocol was stabilized at
version 1.0 in October 2007, and revised in June 2009 (Revision A) as
published at <http://oauth.net/core/1.0a>.
OAuth协议最初是一些网站和其他网络服务商想要解决代理访问保护性资源的公共问题,而由一
些小的web开发团队创建的。最终OAuth的1.0(2007年10月)版本趋于稳定,在2009年6月
修订(Revision A)并且发布在<http://oauth.net/core/1.0a>。
In the traditional client-server authentication model, the client
uses its credentials to access its resources hosted by the server.
With the increasing use of distributed web services and cloud
computing, third-party applications require access to these server-
hosted resources.
传统的客户端-服务器访问模式,客户端使用身份证明在服务器商访问他们的资源,随着分布式网页
服务和云计算的广泛使用,第三方应用程序也需要访问这些服务器托管资源。
OAuth introduces a third role to the traditional client-server
authentication model: the resource owner. In the OAuth model, the
client (which is not the resource owner, but is acting on its behalf)
requests access to resources controlled by the resource owner, but
hosted by the server. In addition, OAuth allows the server to verify
not only the resource owner authorization, but also the identity of
the client making the request.
OAuth为传统的客户端-服务器访问模式引入了第三方:资源拥有者。在OAuth模式中,资源拥有
者控制客户端(不是资源的拥有者,但是为它服务)请求访问资源,但是由服务器托管。另外,OAuth
不仅允许服务器验证资源拥有者的权限,而且也允许验证发出请求的客户端的身份。
OAuth provides a method for clients to access server resources on
behalf of a resource owner (such as a different client or an end-
user). It also provides a process for end-users to authorize third-
party access to their server resources without sharing their
credentials (typically, a username and password pair), using user-
agent redirections.
OAuth提供了一个方法使客户端可以代表资源拥有者访问服务端资源(比如不同的客户端或者一个终端用户?),
。它同样提供了一个过程,使终端用户可以使用用户代理重定向来授权第三方访问他们在服务器上的资源,
而不用共享他们的凭证(例如用户名和密码对)。
For example, a web user (resource owner) can grant a printing service
(client) access to her private photos stored at a photo sharing
service (server), without sharing her username and password with the
printing service. Instead, she authenticates directly with the photo
sharing service which issues the printing service delegation-specific
credentials.
例如,一个web用户(资源拥有者)可以授权(grant)一个打印服务(客户端)访问它在一个相册共享服务器
(服务端) 存储的私有相册,而不需要共享她的用户名和密码给打印服务。相反的,她直接通过相册服务器的
验证,并且服务器颁发给特殊代理证明打印服务。
In order for the client to access resources, it first has to obtain
permission from the resource owner. This permission is expressed in
the form of a token and matching shared-secret. The purpose of the
token is to make it unnecessary for the resource owner to share its
credentials with the client. Unlike the resource owner credentials,
tokens can be issued with a restricted scope and limited lifetime,
and revoked independently.
为了使客户端访问资源,它首先需要获得资源拥有者的许可。以一个token和相对应的shared-secret
传递。token的目的是使资源拥有者不需要共享它的身份证明给客户端。不像资源拥有者身份证明,
颁发的tokens具有限制的范围,有限的生命周期和撤销的独立性。
-------------------以下是术语部分-----------------------
Terminology术语
client
An HTTP client (per [RFC2616]) capable of making OAuth-
authenticated requests (Section 3).
server
An HTTP server (per [RFC2616]) capable of accepting OAuth-
authenticated requests (Section 3).
protected resource
An access-restricted resource that can be obtained from the
server using an OAuth-authenticated request (Section 3).
resource owner
An entity capable of accessing and controlling protected
resources by using credentials to authenticate with the server.
credentials
Credentials are a pair of a unique identifier and a matching
shared secret. OAuth defines three classes of credentials:
client, temporary, and token, used to identify and authenticate
the client making the request, the authorization request, and
the access grant, respectively.
凭证(credentials)
凭证是成对的唯一标识符和相对应的共享密钥。OAuth定义凭证的三个类:Client、temporary
和token,分别用于标识和认证客户端请求,授权的请求和访问授权
token
A unique identifier issued by the server and used by the client
to associate authenticated requests with the resource owner
whose authorization is requested or has been obtained by the
client. Tokens have a matching shared-secret that is used by
the client to establish its ownership of the token, and its
authority to represent the resource owner.
The original community specification used a somewhat different
terminology that maps to this specifications as follows (original
community terms provided on left):
原始说明书使用了一些不同的术语,各个术语映射如下(左边的为原始的)
Consumer : client
Service Provider : server
User : resource owner
Consumer Key and Secret : client credentials
Request Token and Secret : temporary credentials
Access Token and Secret : token credentials
-------------------以下是文档中的一个实例----------------------
Example
Jane (resource owner) has recently uploaded some private vacation
photos (protected resources) to her photo sharing site
'photos.example.net' (server). She would like to use the
'printer.example.com' website (client) to print one of these photos.
Typically, Jane signs into 'photos.example.net' using her username
and password.
例子:
Jane(资源拥有者)刚刚上传了一些私有假期照片(保护性资源)到她的共享站点“photos.example.net”
她想使用“printer.example.com”站点(客户端)来打印照片中的一张。典型的,Jane使用她的用户名和
密码登录到“photos.example.net”。
However, Jane does not wish to share her username and password with
the 'printer.example.com' website, which needs to access the photo in
order to print it. In order to provide its users with better
service, 'printer.example.com' has signed up for a set of
'photos.example.net' client credentials ahead of time:
然而,Jane不希望为了打印而共享自己的用户名和密码给"printer.example.com"站点来访问那些照片。为了
提供给它的用户更好的服务,"printer.example.com首先签约"photos.example.net",获得了客户端凭证。
Client Identifier : dpf43f3p2l4k3l03
Client Shared-Secret : kd94hf93k423kf44
The 'printer.example.com' website has also configured its application
to use the protocol endpoints listed in the 'photos.example.net' API
documentation, which use the "HMAC-SHA1" signature method:
"printer.example.com"站点也配置它的应用程序使用在"photos.example.net" API文档中列出的协议端点,
也就是"HMAC-SHA1"签名方法。
Temporary Credential Request
https://photos.example.net/initiate
Resource Owner Authorization URI:
https://photos.example.net/authorize
Token Request URI:
https://photos.example.net/token
Before 'printer.example.com' can ask Jane to grant it access to the
photos, it must first establish a set of temporary credentials with
'photos.example.net' to identify the delegation request. To do so,
the client sends the following HTTPS [RFC2818] request to the server:
在"printer.exmaple.com"可以要求Jane授权它访问照片之前,必须和'photos.example.net"建立一个
temporary凭证来识别代理请求。做了这些后,客户端发送下面的https请求给服务端:
Client -> Server
POST /initiate HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"
The server validates the request and replies with a set of temporary
credentials in the body of the HTTP response (line breaks are for
display purposes only):
服务端验证请求,然后在HTTP响应中插入temporary凭证集来响应请求。
Sever -> Client
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded
oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03&
oauth_callback_confirmed=true
The client redirects Jane's user-agent to the server's Resource Owner
Authorization endpoint to obtain Jane's approval for accessing her
private photos:
客户端重定向Jane的用户代理到服务端的资源拥有者授权的端点,以获得Jane的批准访问她的私有
相册。
Client -> Sever
https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola
The server requests Jane to sign in using her username and password
and if successful, asks her to approve granting 'printer.example.com'
access to her private photos. Jane approves the request and her
user-agent is redirected to the callback URI provided by the client
in the previous request (line breaks are for display purposes only):
服务器要求Jane使用她的用户名和密码登录,如果成功,要求她批准授权"printer.example.com"访问她的私有
相册。Jane批准请求,然后她的用户代理重定向到客户端先前请求中提供的回调uri。
Server -> Client
http://printer.example.com/ready?
oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884
The callback request informs the client that Jane completed the
authorization process. The client then requests a set of token
credentials using its temporary credentials (over a secure Transport
Layer Security (TLS) channel):
回调请求通知客户端Jane完成了授权过程。客户端开始使用temporary凭证请求token凭证组:
Client -> Server
POST /token HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="hh5s93j4hdidpola",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="walatlh",
oauth_verifier="hfdp7dh39dks9884",
oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D"
The server validates the request and replies with a set of token
credentials in the body of the HTTP response:
服务端验证请求,在http响应体内插入一组token凭证来回应请求:
Server -> Client
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded
oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00
With a set of token credentials, the client is now ready to request
the private photo:
有了一组token凭证后,客户端现在准备请求私有相册:
Client -> Server
GET /photos?file=vacation.jpg&size=original HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="nnch734d00sl2jdk",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131202",
oauth_nonce="chapoH",
oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"
The 'photos.example.net' server validates the request and responds
with the requested photo. 'printer.example.com' is able to continue
accessing Jane's private photos using the same set of token
credentials for the duration of Jane's authorization, or until Jane
revokes access.
"photos.example.net"服务端验证请求,并且返回请求的照片。在Jane的授权期间"printer.example.com"能够使用同样的taken凭证组继续访问Jane的私有相册,或者直到Jane取消访问。
扫一扫
1630
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
