OAuth簡介2. 目的
➲ An open protocol to allow secure API authorization in a simple
and standard method from desktop and web applications.
➲ 為了提供讓第三方軟體取得網路服務的被保護使用者資料
➲ 共同公開標準的 API 取得授權流程
User Consumer Service Provider
5. 如何產生認證簽署 (Signature)
➲ HMAC-SHA1
● var sig = b64_hmac_sha1(key, baseString);
● RFC2104
➲ RSA-SHA1
● RFC3447 section 8.2
➲ PLAINTEXT
● 建議只有在 SSL 加密時才使用
6. Signature Key via HMAC-SHA1
➲ Format:
● [consumer secret]&[token secret]
● token secret 即使是空值, & 符號仍然要保留
➲ Example:
● 8vHfFq5mPB46AUjO7PtWGgFJcpAI1VfEyNA5F6Hh&
7. Signature Base String via HMAC-
SHA1
➲ Format:
● [http method]&[request url]&[request parameter string]
● request query string 必須要照字母排序
● request url 及 request parameter string 都必須經過編碼
(javascript: encodeURIComponent)
➲ Request Parameter String Example:
● oauth_consumer_key=5rxRZZUSI2T00KIyLIMQAA
&oauth_nonce=2998391270622
&oauth_signature_method=HMAC-SHA1
&oauth_timestamp=1267410026
&oath_version=1.0
➲ Example:
● GET&http%3A%2F%2Ftwitter.com%2Foauth
%2Frequest_token&oauth_consumer_key
%3D5rxRZZUSI2T00KIyLIMQAA%26oauth_nonce
%3D2998391270622%26oauth_signature_method%3DHMAC-
SHA1%26oauth_timestamp%3D1267410026%26oauth_version
%3D1.0
8. OAuth Requset Example
(request token)
➲ Authorization: OAuth
oauth_consumer_key="0685bd9184jfhq22",
oauth_token="ad180jjd733klru7",
oauth_signature_method="HMAC-SHA1",
oauth_signature="wOJIO9A2W5mFwDgiDvZbTS
MK%2FPY%3D",
oauth_timestamp="137131200",
oauth_nonce="4572616e48616d6d65724c61686176",
oauth_version="1.0"
10. OAuth Authorize Page: Twitter
http://twitter.com/oauth/authorize/?
oauth_token=[received token value]
11. 參考資料
➲ OAuth 1.0 Spec - http://oauth.net/core/1.0/
➲ OAuth Library - http://oauth.net/code/
● Java
● Javascript
● PHP
● Ruby
● ...
➲ MHAC-SHA1 [RFC2104]
http://tools.ietf.org/html/rfc2104