OAuth - Don’t Throw the Baby Out with the Bathwater
O auth无痛入门指南
1. 51-21-9002 南 指 门 入 痛 无htuAo
est's blog
Mobilis in Mobili
04
oAuth
Web, programming
#1 yeeyan , #2 rollingcode.org
oAuth http://oauth.net/core/1.0/
oAuth
oAuth
oAuth 3 1. 2. / A 3. B
oAuth senario
A B
B A
Flickr
xiaonei.com SNS Hotmail
1. Ctrl+C, Ctrl+V
2. ——
3. ID ——
oAuth
B URL A
A B Yes/No
Yes A B /
3
1. 2 B A Obtaining an
Unauthorized Request Token “ ” A
2. A / Obtaining User Authorization
3. B B / A
Obtaining an Access Token “ (Access Token)”
“ ” B A
A
oauth_token oauth_token
oauth_token_secret other_parameters
oauth_token oauth_token
oAuth
108336/sevihcra/nc.2oy.evitaitini 4/1
2. 51-21-9002 南 指 门 入 痛 无htuAo
Technically 2 oAuth
Consumer Request Parameters oAuth 1.0 5.2 oAuth
3
1. HTTP GET URL ? iframe img
XSS
2. HTTP POST Content-Type
3. HTTP OAuth HTTP Authorization Scheme
“ ”
Signature
“ ”
oAuth 3 HMAC-SHA1, RSA-SHA1 PLAINTEXT oAuth
1. HTTP GET, POST HEAD
2. HTTP URL
3. oAuth
3 & hmac RSA
oAuth “ ” PLAINTEXT
oAuth
secret key
oAuth
B B
A douban Douban API Key
Douban API Key
Douban API Key
oAuth “ ” “ ” B
A
SHA1, RSA-SHA1 PLAINTEXT oAuth
timestamp google
library
oAuth
108336/sevihcra/nc.2oy.evitaitini 4/2
3. 51-21-9002 南 指 门 入 痛 无htuAo
oAuth Web “ (authorization)”
oAuth Web widget javascript
webapps oAuth est cookiejar + Flash
LSO oAuth
oAuth / / API
Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, Google, Yahoo, and others soon to follow
oAuth 1.0 email B
Douban oAuth oAuth
A X Y Z
9 Responses to “oAuth ”
1. Pan Says:
11th, 2009 at 14:58
Reply
2. Says:
20th, 2009 at 19:35
Reply
3. Says:
20th, 2009 at 19:37
Reply
4. 3D Says:
20th, 2009 at 19:37
Reply
5. sunny Says:
12th, 2009 at 11:39
Reply
6. kkppccdd Says:
14th, 2009 at 13:32
Reply
7. rocyhua Says:
3rd, 2009 at 15:05
108336/sevihcra/nc.2oy.evitaitini 4/3