翻譯自下面這篇文章
https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
概述
OAuth是一套在開發(fā)者和服務提供者之間建立溝通機制的協(xié)議杭攻;( OAuth是讓第三方應用不需要用戶名密碼讀取用戶數據的一個認證過程。)在本文檔里垒棋,服務提供者是yahoo叼架,訪問用戶數據的應用或者站點被稱作consumer
整體流程圖示
主體內容如下:
步驟1. 注冊yahoo并獲取consumer Key
在通過api訪問yahoo之前,需要先注冊并提交若干信息(包括訪問數據的范圍)以獲取使用yahoo服務的資格扮饶。在以后通過consumer訪問數據的時候乍构,yahoo會詢問最終用戶授權給consumer訪問數據的范圍哥遮,關于數據范圍的說明如下:
- Read/Write Yahoo Updates
- Read (Shared) Yahoo Profiles
- Read Yahoo
注冊完成,會拿到consumer key和consumer secret奥帘,在獲取request token的時候仪召,必須作為參數傳入。
步驟2. 獲取request token
request token是用來完成用戶認證時需要傳入的臨時token已旧,通過consumer key來獲得运褪。
請求URL:
https://api.login.yahoo.com/oauth/v2/get_request_token?oauth_nonce=ce2130523f788f313f76314ed3965ea6&oauth_timestamp=1202956957&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=abcdef&oauth_version=1.0&xoauth_lang_pref="en-us"&oauth_callback="http://yoursite.com/callback"
參數說明:
| Request Parameter | Description |
|---|---|
| oauth_consumer_key | Consumer Key provided to you when you signed up. |
| oauth_nonce | A random string (OAuth Core 1.0 Spec, Section 8) |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The Consumer Secret that was issued to the application. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. For more information about signing requests, refer to Signing Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_version | OAuth version (1.0). |
| xoauth_lang_pref | (optional) The language preference of the User; the default value is EN-US. For further details about this parameter, refer to the OAuth Extension for Specifying User Language Preference. |
| oauth_callback | Yahoo redirects Users to this URL after they authorize access to their private data. If your application does not have access to a browser, you must specify the callback as oob (out of bounds). |
request token是用來完成用戶認證時需要傳入的臨時token,通過consumer key來獲得店读。
返回值
| Request Parameter | Description |
|---|---|
| oauth_token_secret | The secret associated with the Request Token, provided in hexstring format. |
| oauth_expires_in | The lifetime of the Request Token in seconds. The default number is 3600 seconds, or one hour. |
| xoauth_request_auth_url | The URL to the Yahoo authorization page. |
| oauth_token | The Request Token that Yahoo returns as a response to therequest_token call. The Request Token is required during the User authorization process. |
| oauth_callback_confirmed=true | This parameter confirms that you are using OAuth 1.0 Rev. A. This parameter is always set to true. |
步驟3. 用戶登錄授權
拿到request token之后屯断,應用提供給用戶yahoo的授權頁面侣诺,用戶通過該頁面客戶授予應用訪問他在yahoo上數據的權限
如下圖所示:
如果用戶沒有登錄的話,會先彈出登錄界面趴久;
請求參數
| Request Parameter | Description |
|---|---|
| oauth_token | The Request Token that Yahoo returns as a response to the request_token |
| call. The Request Token is required during the User authorization process. |
下面的參數會添附在 獲取request token的時候傳入的回調地址后面
| Callback URL Parameter | Description |
|---|---|
| oauth_token | The Request Token that Yahoo returns as a response to the get_request_token call. It is appended to the authorization page URL. The Request Token is required during the User authorization process. |
| oauth_verifier | The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the oauth_callback is set to oob in Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually. |
如下圖所示:
yahoo認證頁面有兩種方法展現
- 彈出式窗口
- 從web應用直接重定向到y(tǒng)ahoo認證頁
步驟4. 用request Token和oauth_verifier來換取access token
用戶授權之后consumer需要將request token變換為access token
請求參數
| Request Parameter | Description |
|---|---|
| oauth_consumer_key | Consumer Key provided to you when you signed up. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. If using HMAC-SHA1, refer to [OAuth Core 1.0 Spec, Section 9.2]http://oauth.net/core/1.0#anchor16). For more information about signing requests, refer toSigning Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_verifier | The OAuth Verifier is a verification code tied to the Request Token. |
| oauth_version | OAuth version (1.0). |
| oauth_token | The Request Token, which is required during the User authorization process and is short enough for the end User to easily enter. The Request Token is provided in the response to the get_request_token |
請求URL:
oauth_token=A%3DqVDHXBngo1tEtzox.JMhzd91Rk99.39Al7hos3J80mm1j
&oauth_token_secret=c5a9684d3a3aa22aa051308987219efb8d6982fc
&oauth_expires_in=3600
&oauth_session_handle=AKVdNElJthnrHDwnYDuj6fJ2ayRbJvkePz9AKwi9dQAfb4bd
&oauth_authorization_expires_in=919314350
&xoauth_yahoo_guid=DKXSX6Q5TA5SVNARZLUJU5AW7A
返回值
| Response Parameter | Description |
|---|---|
| oauth_token | The Access Token provides access to protected resources accessible through Yahoo Web services. |
| oauth_token_secret | The secret associated with the Access Token provided in hexstring format. |
| oauth_session_handle | The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires. |
| oauth_expires_in | Lifetime of the Access Token in seconds (3600, or 1 hour). |
| oauth_authorization_expires_in | Lifetime of the oauth_session_handle in seconds. |
| xoauth_yahoo_guid | The introspective GUID of the currently logged in User. For more information of the GUID, see the [Yahoo Social API Reference]https://developer.yahoo.com/social/rest_api_guide/introspective-guid-resource.html). |
獲得access token之后就可以訪問yahoo的服務(如果是用彈出式窗口的方式提供用戶授權的話,那么獲取到access token之后確保關閉彈出窗口)
步驟5. 刷新access Token
access token一個小時后失效弛作,繼續(xù)訪問的話需要更新access token
請求URL:
https://api.login.yahoo.com/oauth/v2/get_token?oauth_nonce=ef3a091928d5491624c0ac54d697124422705091&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=55d4cf6bf417023ce5dcc3b77132fb021cd13b21abcdef%26&oauth_version=1.0&oauth_token=AJwxz0eyXRa._q0xKlggmMSpQzYjOZyqApyhHybqPzCsDr0-&oauth_timestamp=1204762971&oauth_session_handle=ALKVBsl8DHR1rsAHSwTmAxYIsIGs3l31syRaA_aaF.RDs.MknmVM4P
請求參數
| Request Parameter | Description |
|---|---|
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_consumer_key | Consumer Key provided to you when you sign up on the egistration page. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_version | OAuth version (1.0). |
| oauth_token | The expired Access Token. |
| oauth_session_handle | The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires. |
返回值
| Response Parameter | Description |
|---|---|
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_consumer_key | Consumer Key provided to you when you sign up on the registration page. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo. |
同時來自阮一峰的一篇非常好的文章 理解OAuth 2.0
