Google oauth 1.0

本文主要是介绍Google oauth 1.0，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

下面的link是oauth 1.0的最好中文讲解（它是用twitter的oauth）

http://cire.pixnet.net/blog/post/30810748-%E6%BC%AB%E8%AB%87oauth%E8%AA%8D%E8%AD%89%E5%8D%94%E5%AE%9A%E8%88%87%E9%81%8B%E4%BD%9C%E6%B5%81%E7%A8%8B

仔细阅读上面的文章后，下面讲解googleoauth1.0

参考文档：

OAuth 1.0 API Reference

http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuth_ref.html

OAuth 1.0 for Web Applications

http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuth.html

OAuth 1.0 for Installed Applications

http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuthForInstalledApps.html

UsingOAuth with theGoogle Data APIs

http://code.google.com/intl/zh-TW/apis/gdata/articles/oauth.html

Google oauth 1.0PHP demo (playground demo)

http://googlecodesamples.com/oauth_playground/

source

http://code.google.com/p/gdata-samples/source/browse/#svn/trunk/oauth_playground

example description

http://code.google.com/intl/zh-TW/apis/gdata/articles/oauth.html

Google oauth 1.0java demo

http://oauthexample.appspot.com/Welcome

source

http://code.google.com/p/googleappengine/source/browse/#svn%2Fbranches%2F1.2.1%2Fjava%2Fdemos%2Foauth

什么是oauth?

OAuth是Open Authorization的縮寫，透過這種協定，使用者可以在不透露帳號密碼的情況下，授權第三方網路應用服務(在協定中稱為Consumer)使用(或登入)原本的網路服務(在協定稱為Service Provider)。例如我們可以利用oauth的方式在自己撰寫的網站登入twitter,google, yahoo或foursquare等網站，並使用其開放出來的網路服務。

使用Googleoauth 1.0 for webapplication之前，必须先在https://accounts.google.com/ManageDomainsregister a domain来生成一个OAuth Consumer Key和一个OAuth Consumer Secret，registration的参考文档见http://code.google.com/intl/zh-TW/apis/accounts/docs/RegistrationForWebAppsAuto.html

其中的"Target URL path prefix"对oauth好像没有，只是对authsub有用。它只是个前缀而已，并不是完整的回转的路径，在生成登录的时候，还是要将回转的路径发送给Google，而且必须和这里注册的前缀相符，这应该算是用来保障安全的一个设置。其值应该是在使用authsub时用，authSub authorizationrequest的”next” parameter必须以该值作为前缀！例如，若”next” parameter值为http://example.com/authsub orhttp://example.com/feed/authsub，那么”Target URL path prefix” option的值应为http://example.com

通过Googleoauth1.0来access usergoogle data的调用流程（分4步）：

Step1 通过OAuthGetRequestToken获取request token

Send a request with following parameter tohttps://www.google.com/accounts/OAuthGetRequestToken来获取requesttoken

Parameter list见http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuth_ref.html#RequestToken

Send request时，有三种方式来放置这些parameter

l Authorization header of a GETor POST request. Use "Authorization: OAuth".除了” scope” and“xoauth_displayname”param之外，其他parameters都可以放置在request header。” scope” and “xoauth_displayname”param必须放在request body里或者放在URL as a query parameter.

Sample request (使用Authorization header of a POST request)

POST/accounts/OAuthGetRequestToken HTTP/1.1

Host:www.google.com

Content-Type:application/x-www-form-urlencoded

Authorization:OAuth

oauth_consumer_key="example.com",

oauth_signature_method="RSA-SHA1",

oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",

oauth_timestamp="137131200",

oauth_nonce="4572616e48616d6d65724c61686176",

oauth_version="1.0"

oauth_callback="http://www.example.com/showcalendar.html"

scope="http://www.google.com/calendar/feedshttp://picasaweb.google.com/data"

l Body of a POST request. Thecontent type must be "Content-Type: application/x-www-form-urlencoded".

l As URL query parameters in aGET request.

如果该request的response code is 200，则返回的response会包含下列info

l oauth request token (unauthorized)

l token secret

l confirmation that Google handles a callback URL

Sample response

oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=ZXhhbXBsZS5jb20&oauth_callback_confirmed=true

Step2 通过OAuthAuthorizeToken来Authorize request token of step 1

用step 1获取的unauthorizedoauth_token作为parameter “oauth_token”来send GET request tohttps://www.google.com/accounts/OAuthAuthorizeToken

(该request的full parameter list参看http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuth_ref.html#GetAuth)

Sample request

GET https://www.google.com/accounts/OAuthAuthorizeToken?oauth_token=ab3cd9j4ks73hf7g&hd=mycollege.edu&hl=en&btmpl=mobile

当google获取该request，就会redirect to Google Access Request page (若user还没有login google，会先转到google login page，login成功后才转去Google Access Request page)，如下图

当user click “Grantaccess” button后，之前request里的参数oauth_token引用的oauth requesttoken (unauthorized)就会被authorized，response返回的authorized request token "oauth_token"和step 1获取的unauthorizedoauth request token的值相同。

如果在step 1里有设置oauth_callback参数来提供callback URL，那么当user click “Grant access” button后，google就会redirect到该callback URL with following query parameters:

l “oauth_token”, authorized request token（该token的值与step 1获取的unauthorizedoauth request token的值相同）

l “oauth_verifier”,verification code.

Sample redirect url with query parameter

http://www.example.com/showcalendar.html?oauth_token=ab3cd9j4ks73hf7g&oauth_verifier=fERNOO3NfWph90CPCeIutmFA

如果没有提供call backURL，就不会redirect，而是show message with a verification code

Step 3通过OAuthGetAccessToken来把step 2的Authorize request token转化为accesstoken (该token才能access user google data)

Send a request with following parameter tohttps://www.google.com/accounts/OAuthGetAccessToken来获取accesstoken

Parameter list见http://code.google.com/intl/zh-TW/apis/accounts/docs/OAuth_ref.html#AccessToken

Send request时，有三种方式来放置这些parameter

l Authorization header of a GETor POST request. Use "Authorization: OAuth".

Sample request (使用Authorization header of a POST request)

POST/accounts/OAuthGetAccessToken HTTP/1.1

Host: www.google.com

Content-Type:application/x-www-form-urlencoded

Authorization:OAuth

oauth_consumer_key="example.com",

oauth_token="ab3cd9j4ks73hf7g",

oauth_verifier="fERNOO3NfWph90CPCeIutmFA",

oauth_signature_method="RSA-SHA1",

oauth_signature="wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",

oauth_timestamp="137131200",

oauth_nonce="4572616e48616d6d65724c61686176",

oauth_version="1.0"

l Body of a POST request. Thecontent type must be "Content-Type: application/x-www-form-urlencoded".

l As URL query parameters in aGET request.

如果该request的response code is 200，则返回的response会包含下列info

l Access token

l token secret

Sample response

oauth_token=ab3cd9j4ks73hf7g&oauth_token_secret=ZXhhbXBsZS5jb20

注意：unauthorizedrequest token, authorized request token and access token都是以parameter“oauth_token” value在response里返回

Step 4利用step 3获取的access token就可以通过各种googleapi来access该user的google data

SigningOAuth requests

从上面的step 1的OAuthGetRequestToken and step 3的OAuthGetAccessToken，在send request时都必须包含”oauth_signature”parameter。实际上all requests made to Google services都需要包含该parameter.

那么如何生成该parameter的值呢？很简单，就是通过”oauth_signature_method” parameter设置的signature method来对一个“base string”。

Unregisteredapplications (没有register domain的app，即没有comsumer key and secret) should use HMAC-SHA1signature method. Registeredapplications can use either RSA-SHA1 or HMAC-SHA1signaturemethod

“base string”由下列几部分组成：

l TheHTTPrequest method. 例如GET or POST

l ThebaseURLthe request is being sent to.该URL不应该包含any query parameters.

l A normalizedstring of the parameters in the request (excluding theoauth_signature parameter).这包括所有写在requestheader or body里的parameter,以及添加在request URL里的query parameters. To normalize the string, sort the parameters using lexicographicalbyte value ordering.

“base string” example

假设你已经获取了accesstoken，你正在通过GoogleCalendar API来获取a user'slist of calendars，request URL应该是：

http://www.google.com/calendar/feeds/default/allcalendars/full?orderby=starttime

该request还有一些parameters，那么“Signature base string”应该类似于

GET&http%3A%2F%2Fwww.google.com%2Fcalendar%2Ffeeds%2Fdefault%2Fallcalendars%2Ffull&oauth_consumer_key%3Dexample.com%26oauth_nonce%3D4572616e48616d6d65724c61686176%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D137131200%26oauth_token%3D1%252Fab3cd9j4ks73hf7g%26oauth_version%3D1.0%26orderby%3Dstarttime

注意： the orderby=starttime query parameter is ordered along with the rest ofthe oauth_* parametersin the base string

有了oauth signature ”basestring” and “method”，通过下列方式之一来生成”oauth_signature” parameter value

l If your application is notregistered, select HMAC-SHA1 and use the following key and secret:

consumer key: "anonymous"

consumer secret: "anonymous"

l If your application isregistered and you're using RSA-SHA1, use the private key corresponding to thecertificate uploaded to Google during registration.

l If your application isregistered and you're using HMAC-SHA1, use the OAuth"consumer secret" value generated during registration; this value isdisplayed on your domain's registration page.

Revoking（废除）anOAuth access token

Oauth access token可以通过手动方式或者programm方式来废除

l Manuallyrevoking a token (for Google account holders)

1. Users canmake changes to their Google Accounts settings athttps://www.google.com/accounts/. For Google Apps (hosted) domain accounts, gotohttps://www.google.com/a/yourdomain.com/ManageAccount.

2. Click thelink "Change authorized websites".

3. In thelist of authorized domains displayed, locate the domain to be revoked. Clickthe "Revoke Access" link next to the domain name.

l Programmaticallyrevoking a token (for third-party applications)

Toprogrammatically revoke a token,send a request toAuthSub's AuthSubRevokeTokenendpoint with the necessary signedOAuthrequest.

这篇关于Google oauth 1.0的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！