OAuth協議致力於使網站和應用程序(統稱爲消費方)能夠在無須用戶透露其認證證書的情況下,通過API訪問某個web服務(統稱爲服務提供方)的受保護資源。更一般地說,OAuth爲API認證提供了一個可自由實現且通用的方法。
一個典型的例子是某打印服務提供商printer.example.com(消費方),希望在無須用戶提供其照片存儲站點密碼的情況下,訪問用戶儲存在photos.example.net(服務提供方)上的個人照片。
OAuth不強求一個特定的用戶接口或操作模式,也不限定服務提供方如何驗證用戶,特別適合認證證書對消費方不可用的情況,例如OpenID。
OAuth致力於爲託管web服務認證提供統一的體驗和實現,形成一個社區驅動的協議。OAuth構建於已被多個站點獨立實現的已有協議和最佳化實踐之上,是一個被大小服務提供者所支持、併爲應用開發者和用戶增進持續性和可信度的開放標準。
OAuth is best explained with real-life examples. The specification includes in Appendix A a similar example but focuses on the HTTP calls syntax. This walk-through demonstrates a typical OAuth session and includes the perspectives of the User, Consumer, and Service Provider. The websites and people mentioned are fictional. The Scottish references are real. And so our story begins…
OAuth最好使用真實生活中的例子來進行解釋。OAuth規範的附錄A中有一個與此相似的例子,但是它更關注HTTP調用的過程。這個例子在OAuth會話中是有代表性的,它包括了用戶,消費者,服務提供者。這個例子中提到的人和網站都是虛構出來的不是真實的。關於蘇格蘭的引用是真實的。好了,讓我們開始我們的故事吧。
Using OAuth terminology, Jane is the User and Faji the Service Provider. The 2 photos Jane uploaded are the Protected Resources.
使用OAuth的術語來描述一下,Jane是用戶,Faji是服務提供者,Jane上傳的兩張照片是受保護的資源。
Using OAuth terminology, Beppa is the Consumer. Since Jane marked the photos as private, Beppa must use OAuth to gain access to the photos in order to print them.
使用OAuth術語來描述一下,Beppa是消費者,自從Jane把她的照片標記爲私有以後,Beppa必須使用OAuth來獲取對這些私有圖片的訪問權以便把他們打印出來。
When Beppa added support for Faji photo import, a Beppa developer known in OAuth as a Consumer Developer obtained a Consumer Key and Consumer Secret from Faji to be used with Faji’s OAuth-enabled API.
當Beppa添加支持從Faji導入圖片的時候,一個Beppa開發者知道在OAuth中作爲一個消費方開發者要從Faji獲取消費Key和消費密鑰以便使用Faji提供的OAuth認證API。
After Jane clicks Continue, something important happens in the background between Beppa and Faji. Beppa requests from Faji a Request Token. At this point, the Request Token is not User-specific, and can be used by Beppa to gain User approval from Jane to access her private photos.
當Jane點擊了繼續以後,一些重要的事情在Beppa和Faji之間發生了。Beppa從Faji請求了一個Request Token。用戶對這個Request Token是不瞭解的,這個Request Token可以被Beppa來使用獲取Jane的審批用來獲取她的私有圖片資源。
When Beppa receives the Request Token, it redirects Jane to the Faji OAuth User Authorization URL with the Request Token and asks Faji to redirect Jane back once approval has been granted to http://beppa.com/order.
當Beppa接受到Request Token以後,Beppa拿着接收到的Request Token重定向Jane到Faji的OAuth用戶授權URL並且要求Faji在完成用戶授權以後重定向Jane到Http://beppa.com/order。
Jane has been redirected to Faji and is requested to sign into the site. OAuth requires that Service Providers first authenticate the User, and then ask them to grant access to the Consumer.
Jane被重定向到Faji並且被要求登錄。OAuth要求服務提供者首先認證用戶,認證完成之後要求用戶批准消費者的訪問。
OAuth allows Jane to keep her username and password private and not share them with Beppa or any other site. At no time does Jane enters her credentials into beppa.com.
OAuth允許Jane保護她的用戶和密碼可以不分享給Beppa或任何其他的網站。Jane可以選擇不輸入她的用戶名和密碼進入beppa.com網站。
After successfully logging into Faji, Jane is asked to grant access to Beppa, the Consumer. Faji informs Jane of who is requesting access (in this case Beppa) and the type of access being granted. Jane can approve or deny access.
成功登錄進Faji以後,Jane被要求授權給Beppa這個消費者。Faji提醒Jane誰正在請求訪問(在這裏是Beppa)和需要授權訪問的內容。Jane可以審批通過也可以拒絕這個訪問。
Once Jane approves the request, Faji marks the Request Token as User-authorized by Jane. Jane’s browser is redirected back to Beppa, to the URL previously provided http://beppa.com/order together with the Request Token. This allows Beppa to know it can now continue to fetch Jane’s photos.
一旦Jane審批通過了這個請求,Faji標記這個Request Token被Jane授權了。Jane的瀏覽器被重定向回到了Beppa,以前提供的URLhttp://beppa.com/order現在帶有了Request Token。現在允許Beppa獲取Jane的圖片了,它可以繼續執行它的打印操作了。
While Jane waits, Beppa uses the authorized Request Token and exchanges it for an Access Token. Request Tokens are only good for obtaining User approval, while Access Tokens are used to access Protected Resources, in this case Jane’s photos. In the first request, Beppa exchanges the Request Token for an Access Token and in the second (can be multiple requests, one for a list of photos, and a few more to get each photo) request gets the photos.
當Jane等待的時候,Beppa使用這個授權的Request Token從Faji那裏交換了一個Access Token。
Request Token用來獲取用戶的審批,而Access Token是被用來獲取受保護的資源的,在這裏指的是Jane的圖片。在第一個請求中,Beppa拿Request Token換取了一個Access Token,在第二個請求(可以是多個請求,每一個都獲取若干個圖片)中來得到圖片。
When Beppa is done, Jane’s browser refreshes to complete the order.
Beppa successfully fetched Jane’s photo. They are presented as thumbnails for her to pick and place her order.
當Bepa完成的時候,jane的瀏覽器重新刷新來完成這次下單。
Beppa成功的獲取了Jane的圖片。Beppa獲取了圖片並處理成了縮略圖下單完成了。