Oauth1.0认证过程

　　现今，已经有了Oauth2.0，写篇博客了解Oauth1.0的过程以及与2.0的区别。

　　在Oauth官网  关于1.0的介绍：

　一、简介

　　OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials(证书) with the Consumer. OAuth uses Tokens generated by the Service Provider instead of the User’s credentials in Protected Resources requests. The process uses two Token types:

　　整个认证的过程是，用户通过共享证书的方式，将自己的受保护的资源授权给使用者使用。通过使用服务提供商提供的Tokens代替用户的证书来访问受保护的资源。

Request Token:

Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime.

Access Token:

Used by the Consumer to access the Protected Resources on behalf of the User. Access Tokens MAY limit access to certain Protected Resources, and MAY have a limited lifetime. Service Providers SHOULD allow Users to revoke Access Tokens. Only the Access Token SHALL be used to access the Protect Resources.

 二、认证过程

OAuth Authentication is done in three steps:

1. The Consumer obtains an unauthorized Request Token.
2. The User authorizes the Request Token.
3. The Consumer exchanges the Request Token for an Access Token

　　下面是官方提供的流程图：

　　1、Customer Requests ---  Request Token

　　　　To obtain a Request Token, the Consumer sends an HTTP request to the Service Provider’s Request Token URL. The Service Provider documentation specifies the HTTP method for this request, and HTTP POST is RECOMMENDED. The request MUST be signed and contains the following parameters:

　　oauth_consumer_key:

　　The Consumer Key.

　　oauth_signature_method:

　　The signature method the Consumer used to sign the request. -- 用来签署该次请求 HMAC-SHA1, RSA-SHA1, and PLAINTEXT 　　三种签名方法。

　　oauth_signature:

　　The signature as defined in Signing Requests. -- 防止使用者使用未经授权的保护资源。

　　oauth_timestamp:

　　As defined in Nonce and Timestamp.

　　oauth_nonce:

　　As defined in Nonce and Timestamp. A nonce is a random string, uniquely generated for each request.

　　oauth_version:

　　OPTIONAL. If present, value MUST be 1.0 . Service Providers MUST assume the protocol version to be 1.0 if this parameter 　　is not present. Service Providers’ response to non-1.0 value is left undefined.

　　Additional parameters:

　　Any additional parameters, as defined by the Service Provider.

2、Service Provider Issues an Unauthorized Request Token

The Service Provider verifies the signature and Consumer Key. If successful, it generates a Request Token and Token Secret and returns them to the Consumer in the HTTP。服务商验证签名和使用者的Key，成功之后，生成RequestToken and Token Secret,以HTTP返回给用户。

oauth_token:

The Request Token.

oauth_token_secret:

The Token Secret.

Additional parameters:

Any additional parameters, as defined by the Service Provider.

3、Obtaining User Authorization

　　此时使用者还不能访问资源，需要用户验证用户名密码等。

　　1）、Consumer Directs the User to the Service Provider 使用者将用户导向到服务提供者，之后验证用户的合法性。

oauth_token:

OPTIONAL. The Request Token obtained in the previous step. The Service Provider MAY declare this parameter as REQUIRED, or accept requests to the User Authorization URL without it, in which case it will prompt the User to enter it manually.

oauth_callback:

OPTIONAL. The Consumer MAY specify a URL the Service Provider will use to redirect the User back to the Consumer when Obtaining User Authorization is complete.

Additional parameters:

Any additional parameters, as defined by the Service Provider.

　　2）、Service Provider Authenticates the User and Obtains Consent.服务提供者验证用户并获得用户的同意

　　3)、Service Provider Directs the User Back to the Consumer 将用户导向使用者。

3、Obtaining an Access Token 获取AccessToken

　　1)、Consumer Requests an Access Token

　　　　The Request Token and Token Secret MUST be exchanged for an Access Token and Token Secret. 使用上面获取的Request Token 和Token Secret 换取Access Token and Token Secret。

oauth_consumer_key:

The Consumer Key.

oauth_token:

The Request Token obtained previously.

oauth_signature_method:

The signature method the Consumer used to sign the request.

oauth_signature:

The signature as defined in Signing Requests.

oauth_timestamp:

As defined in Nonce and Timestamp.

oauth_nonce:

As defined in Nonce and Timestamp.

oauth_version:

OPTIONAL. If present, value MUST be 1.0 . Service Providers MUST assume the protocol version to be 1.0 if this parameter is not present. Service Providers’ response to non-1.0 value is left undefined.

　　2）、Service Provider Grants an Access Token 授权Access Token。

4、Accessing Protected Resources

　　接下来就是获取相应的资源了。

三、Oauth2.0过程

关于Oauth2.0的认证过程可以参见：http://www.cnblogs.com/plxx/p/3961632.html

四、两个版本的区别　　

1、2.0的用户授权过程有2步，

         A)引导用户到授权服务器，请求用户授权，用户授权后返回 授权码(Authorization Code)

         B)客户端由授权码到授权服务器换取访问令牌(access token)

         C)用访问令牌去访问得到授权的资源

         1.0的授权分3步,

         A)客户端到授权服务器请求一个授权令牌(request token&secret)

         B)引导用户到授权服务器请求授权

         C)用访问令牌到授权服务器换取访问令牌(access token&secret)

         D)用访问令牌去访问得到授权的资源

2、1.0协议每个token都有一个加密，2.0则不需要。这样来看1.0似乎更加安全，但是2.0要求使用https协议，安全性也更高一筹。

3、2.0充分考虑了客户端的各种子态，因而提供了多种途径获取访问令牌

         a)授权码

         b)客户端私有证书

         c)资源拥有者密码证书

         d)刷新令牌

         e)断言证书

         1.0只有一个用户授权流程。

4、两个版本中的请求参数和token的内容有所改变。