OAuth学习（一）

OAuth学习(一)

 

 

一、  概述

OAuth
provides a method for clients to access server resources on

behalf
of a resource owner (such as a different client or an enduser).

It
also provides a process for end-users to authorize(授权给)
thirdparty

access
to their server resources without sharing their

credentials(证书)
(typically, a username and password pair), using
useragent redirections.(通过跳转向authorization_url发起请求，要附带上一步请求得到的参数)

 

In
order for the client to access resources, it first has to obtain

permission
from the resource owner. This permission is expressed in

the
form of a token and matching shared-secret.The
purpose of the

token
(oauth_token) is to make it unnecessary for the resource owner to share its credentials with the client.Unlike
the resource owner credentials,

tokens
can be issued with a restricted scope and limited lifetime,

and
revoked independently.

This
specification consists of two parts. The first part defines a

redirection-based
user-agent process for end-users to authorize

client
access to their resources,
by authenticating directly with the

server (服务器验证用户证书的正确性)and
provisioning(提供)
tokens to the client for use with the

authentication
method. The second part defines a method for making

authenticated
HTTP [RFC2616] requests using two sets of credentials,

one(client_credentials)
identifying the client making the request,
and a
second(token_credentials) 

identifying
the resource owner on whose behalf the request is being

made.

 

二、术语

Client 第三方应用程序

An
HTTP client (per [RFC2616]) capable of making OAuthauthenticated

requests
(Section 3).

Server 服务提供商

An
HTTP server (per [RFC2616]) capable of accepting OAuthauthenticated

requests
(Section 3).

protected
resource

An
access-restricted resource that can be obtained from the

server
using an OAuth-authenticated request (Section 3).

resource
owner 用户

An
entity capable of accessing and controlling protected

resources
by using credentials to authenticate with the server.

Credentials 证书，用来标识身份

Credentials
are a pair of a unique identifier and a matching

shared
secret. OAuth defines three classes of credentials:

client,
temporary, and token, used to identify and authenticate

the
client making the request, the authorization request, and

the
access grant, respectively.

Token

A
unique identifier issued by the server and used by the client

to
associate authenticated requests with the resource owner

whose
authorization is requested or has been obtained by the

client.
Tokens have a matching shared-secret that is used by

the
client to establish its ownership of the token, and its

authority
to represent the resource owner.

 

旧的术语：

The
original community specification used a somewhat different

terminology
that maps to this specifications as follows (original

community
terms provided on left):

Consumer:
client

Service
Provider: server

User:
resource owner

Consumer
Key and Secret: client credentials

Request
Token and Secret: temporary credentials

Access
Token and Secret: token credentials

三、      认证流程图