Client按照下面的三个大步骤与WeiBo交互。1)获得Authorization Grant 2)利用该Grant获得Access Token 3)consumer存储token并利用它访问资源。
Client就是第三方应用或者Consumer。注意不要与终端用户混淆。最终的Access Token不是保存到浏览器端的用户cookie里面,而是保存到Client上面。WeiBo可以理解为服务提供者。
Consumer的 authorization的结果是一个授权码 (有些文章称为oauth_token或者Authorization Grants),Consumer再通过这个授权码获得Access Token(Access Grants)。
一。
通过授权码获得Access Token是一种方式:
Web应用的验证授权(Authorization Code)
基本流程:
1. 引导需要授权的用户到如下地址:
https://api.weibo.com/oauth2/authorize?client_id=YOUR_CLIENT_ID&response_type=code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI
用户在浏览器里触发A的操作,比如点击使用新浪微博登陆,UA会发接着发送上面的请求到WB. WB接受请求并加载登陆页到UA中。比如上图中的B。用户在UA输入用户名密码请求authenticates。
2. 如果用户同意授权,注意登陆并同意授权的页面是WeiBo的页面。同意的结果是回调Client端的页面, URL是YOUR_REGISTERED_REDIRECT_URI/?code=CODE。 因为YOUR_REGISTERED_REDIRECT_URI是client上面的资源,所以可以截取到code. 注意REDIRECT_URI按照oath2的协议是可选的。如果没有设置REDIRECT_URI,那么会使用申请的时候注册的多个回调URL。
参考oauth2草案 http://tools.ietf.org/html/draft-ietf-oauth-v2-22
3.1.2. Redirection Endpoint
After completing its interaction with the resource owner, the
authorization server directs the resource owner's user-agent back to
the client. The authorization server redirects the user-agent to the
client's redirection endpoint previously established with the
authorization server during the client registration process or when
making the authorization request.
The redirection endpoint URI MUST be an absolute URI as defined by
[RFC3986] section 4.3. The endpoint URI MAY include an
"application/x-www-form-urlencoded" formatted
([W3C.REC-html401-19991224]) query component ([RFC3986] section 3.4),
which MUST be retained when adding additional query parameters. The
endpoint URI MUST NOT include a fragment component.
3.1.2.2. Registration Requirements
The authorization server SHOULD require all clients to register their
redirection URI prior to using the authorization endpoint, and MUST
require the following clients to register their redirection URI:
o Public clients.
o Confidential clients utilizing the implicit grant type.
The authorization server SHOULD require the client to provide the
complete redirection URI (the client MAY use the "state" request
parameter to achieve per-request customization). The authorization
server MAY allow the client to register multiple redirection URIs.
If requiring the registration of the complete redirection URI is not
possible, the authorization server SHOULD require the registration of
the URI scheme, authority, and path (allowing the client to
dynamically change only the query component of the redirection URI
when requesting authorization).
3.1.2.3. Dynamic Configuration
If multiple redirection URIs have been registered, if only part of
the redirection URI has been registered, or if no redirection URI has
been registered, the client MUST include a redirection URI with the
authorization request using the "redirect_uri" request parameter.
When a redirection URI is included in an authorization request, the
authorization server MUST compare and match the value received
against at least one of the registered redirection URIs (or URI
components) as defined in [RFC3986] section 6, if any redirection
URIs were registered. If the client registration included the full
redirection URI, the authorization server MUST compare the two URIs
using simple string comparison as defined in [RFC3986] section 6.2.1.
If the authorization server allows the client to dynamically change
the query component of the redirection URI, the client MUST ensure
that manipulation of the query component by an attacker cannot lead
to an abuse of the redirection endpoint as described in
注意,如果不仅注册了url并且还在url中定义了redirect_uri,那么就会比较这二个值。如果没有注册url,那么redirect_uri参数就是必须的。我觉得这是最好的一种方式。否则自己给自己找麻烦。主要的问题是安全,黑客可能替换你的redirect_uri参数。
验证:不传redirect_url是什么后果,传了又是什么后果。
3. 换取Access Token 注意,下面的URL应该是通过类似于http client的工具在web应用的后台发送。实际情况是将下面的参数传入SDK提供的API方法。SDK封装了一切细节。
https://api.weibo.com/oauth2/access_token/?client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET&grant_type=authorization_code&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&code=CODE
(其中client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET可以使用basic方式加入header中)
注意,client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET就是申请字符串:
"应用信息保存成功后,将会获得该应用的App Key和Secret Key,您可以通过这两个Key数据开始进行相关的技术开发工作。
App Key是应用的唯一标识,开放平台通过App Key来鉴别应用的身份。
AppSecret是给应用分配的密钥,开发者需要妥善保存这个密钥,这个密钥用来保证应用来源的的可靠性,防止被伪造。"
返回值
{ "access_token":"SlAV32hkKG", "expires_in":3600, "refresh_token":"8xLOxBtZp8" }
4. 使用获得的Oauth2.0 access_token调用API
WeiBo的所有JSON的返回值应该都是提供给SDK去解析的。不需要应用程序去操作。
二。如果应用本身是WeiBo上的应用,那么就不存在把password透露给第三方的情况。就可以使用下面这种最简的获取access token的方式。
客户端的验证授权(Resource Owner Password Credentials)
基本流程:
1.调用
https://api.weibo.com/oauth2/access_token/?
client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET
&grant_type=password&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&username=USER_NAME&pasword=PASSWORD
返回值 { "access_token":"SlAV32hkKG", "expires_in":3600, "refresh_token":"8xLOxBtZp8" }
2. 使用获得的OAuth2.0 Access Token调用API
三 Access Token
新浪微博OAuth1.0的Access Token不会过期,只有用户手工撤销授权或新浪收回您的app访问权限时Access Token才会失效。但OAuth2.0的过期时间通常为1天。
Refresh Token 是 Access Grants 的一种,在获取Access Token时,认证服务器将返回相应的Refresh Token, 如果Access Token过期,就可以用Refresh Token去刷新。
基本流程:
1当你调用API接口返回Access Token过期时,你可以调用oauth2/access_token并传入refresh_token:
https://api.weibo.com/oauth2/access_token/? Client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET &grant_type=refresh_token&redirect_uri=YOUR_REGISTERED_REDIRECT_URI&refresh_token=…
返回值 { “access_token”:”SlAV32hkKG”, “expires_in”:3600, “refresh_token”:”8xLOxBtZp8” }
2.使用获得的OAuth2.0 Access Token调用API
注:Refresh Token需要单独申请