翻译自下面这篇文章
https://developer.yahoo.com/oauth/guide/oauth-auth-flow.html
概述
OAuth是一套在开发者和服务提供者之间建立沟通机制的协议;( OAuth是让第三方应用不需要用户名密码读取用户数据的一个认证过程。)在本文档里,服务提供者是yahoo,访问用户数据的应用或者站点被称作consumer
整体流程图示
主体内容如下:
步骤1. 注册yahoo并获取consumer Key
在通过api访问yahoo之前,需要先注册并提交若干信息(包括访问数据的范围)以获取使用yahoo服务的资格。在以后通过consumer访问数据的时候,yahoo会询问最终用户授权给consumer访问数据的范围,关于数据范围的说明如下:
- Read/Write Yahoo Updates
- Read (Shared) Yahoo Profiles
- Read Yahoo
注册完成,会拿到consumer key和consumer secret,在获取request token的时候,必须作为参数传入。
步骤2. 获取request token
request token是用来完成用户认证时需要传入的临时token,通过consumer key来获得。
请求URL:
https://api.login.yahoo.com/oauth/v2/get_request_token?oauth_nonce=ce2130523f788f313f76314ed3965ea6&oauth_timestamp=1202956957&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=abcdef&oauth_version=1.0&xoauth_lang_pref="en-us"&oauth_callback="http://yoursite.com/callback"
参数说明:
| Request Parameter | Description |
|---|---|
| oauth_consumer_key | Consumer Key provided to you when you signed up. |
| oauth_nonce | A random string (OAuth Core 1.0 Spec, Section 8) |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The Consumer Secret that was issued to the application. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. For more information about signing requests, refer to Signing Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_version | OAuth version (1.0). |
| xoauth_lang_pref | (optional) The language preference of the User; the default value is EN-US. For further details about this parameter, refer to the OAuth Extension for Specifying User Language Preference. |
| oauth_callback | Yahoo redirects Users to this URL after they authorize access to their private data. If your application does not have access to a browser, you must specify the callback as oob (out of bounds). |
request token是用来完成用户认证时需要传入的临时token,通过consumer key来获得。
返回值
| Request Parameter | Description |
|---|---|
| oauth_token_secret | The secret associated with the Request Token, provided in hexstring format. |
| oauth_expires_in | The lifetime of the Request Token in seconds. The default number is 3600 seconds, or one hour. |
| xoauth_request_auth_url | The URL to the Yahoo authorization page. |
| oauth_token | The Request Token that Yahoo returns as a response to therequest_token call. The Request Token is required during the User authorization process. |
| oauth_callback_confirmed=true | This parameter confirms that you are using OAuth 1.0 Rev. A. This parameter is always set to true. |
步骤3. 用户登录授权
拿到request token之后,应用提供给用户yahoo的授权页面,用户通过该页面客户授予应用访问他在yahoo上数据的权限
如下图所示:
如果用户没有登录的话,会先弹出登录界面;
请求参数
| Request Parameter | Description |
|---|---|
| oauth_token | The Request Token that Yahoo returns as a response to the request_token |
| call. The Request Token is required during the User authorization process. |
下面的参数会添附在 获取request token的时候传入的回调地址后面
| Callback URL Parameter | Description |
|---|---|
| oauth_token | The Request Token that Yahoo returns as a response to the get_request_token call. It is appended to the authorization page URL. The Request Token is required during the User authorization process. |
| oauth_verifier | The OAuth Verifier is a verification code tied to the Request Token. The OAuth Verifier and Request Token both must be provided in exchange for an Access Token. They also both expire together. If the oauth_callback is set to oob in Step 2, the OAuth Verifier is not included as a response parameter and is instead presented once the User grants authorization to your application. Yahoo instructs the User to enter the OAuth Verifier code in your application. Your application must ask for this OAuth Verifier code to ensure OAuth authorization can proceed. The OAuth Verifier is intentionally short so that a User can type it manually. |
如下图所示:
yahoo认证页面有两种方法展现
- 弹出式窗口
- 从web应用直接重定向到yahoo认证页
步骤4. 用request Token和oauth_verifier来换取access token
用户授权之后consumer需要将request token变换为access token
请求参数
| Request Parameter | Description |
|---|---|
| oauth_consumer_key | Consumer Key provided to you when you signed up. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. If you are using the PLAINTEXT signature method, add %26 at the end of the Consumer Secret. If using HMAC-SHA1, refer to [OAuth Core 1.0 Spec, Section 9.2]http://oauth.net/core/1.0#anchor16). For more information about signing requests, refer toSigning Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_verifier | The OAuth Verifier is a verification code tied to the Request Token. |
| oauth_version | OAuth version (1.0). |
| oauth_token | The Request Token, which is required during the User authorization process and is short enough for the end User to easily enter. The Request Token is provided in the response to the get_request_token |
请求URL:
oauth_token=A%3DqVDHXBngo1tEtzox.JMhzd91Rk99.39Al7hos3J80mm1j
&oauth_token_secret=c5a9684d3a3aa22aa051308987219efb8d6982fc
&oauth_expires_in=3600
&oauth_session_handle=AKVdNElJthnrHDwnYDuj6fJ2ayRbJvkePz9AKwi9dQAfb4bd
&oauth_authorization_expires_in=919314350
&xoauth_yahoo_guid=DKXSX6Q5TA5SVNARZLUJU5AW7A
返回值
| Response Parameter | Description |
|---|---|
| oauth_token | The Access Token provides access to protected resources accessible through Yahoo Web services. |
| oauth_token_secret | The secret associated with the Access Token provided in hexstring format. |
| oauth_session_handle | The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires. |
| oauth_expires_in | Lifetime of the Access Token in seconds (3600, or 1 hour). |
| oauth_authorization_expires_in | Lifetime of the oauth_session_handle in seconds. |
| xoauth_yahoo_guid | The introspective GUID of the currently logged in User. For more information of the GUID, see the [Yahoo Social API Reference]https://developer.yahoo.com/social/rest_api_guide/introspective-guid-resource.html). |
获得access token之后就可以访问yahoo的服务(如果是用弹出式窗口的方式提供用户授权的话,那么获取到access token之后确保关闭弹出窗口)
步骤5. 刷新access Token
access token一个小时后失效,继续访问的话需要更新access token
请求URL:
https://api.login.yahoo.com/oauth/v2/get_token?oauth_nonce=ef3a091928d5491624c0ac54d697124422705091&oauth_consumer_key=123456891011121314151617181920&oauth_signature_method=plaintext&oauth_signature=55d4cf6bf417023ce5dcc3b77132fb021cd13b21abcdef%26&oauth_version=1.0&oauth_token=AJwxz0eyXRa._q0xKlggmMSpQzYjOZyqApyhHybqPzCsDr0-&oauth_timestamp=1204762971&oauth_session_handle=ALKVBsl8DHR1rsAHSwTmAxYIsIGs3l31syRaA_aaF.RDs.MknmVM4P
请求参数
| Request Parameter | Description |
|---|---|
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_consumer_key | Consumer Key provided to you when you sign up on the egistration page. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo. |
| oauth_timestamp | Current timestamp of the request. This value must be +-600 seconds of the current time. |
| oauth_version | OAuth version (1.0). |
| oauth_token | The expired Access Token. |
| oauth_session_handle | The persistent credential used by Yahoo to identify the Consumer after a User has authorized access to private data. Include this credential in your request to refresh the Access Token once it expires. |
返回值
| Response Parameter | Description |
|---|---|
| oauth_nonce | A random string ([OAuth Core 1.0 Spec, Section 8]http://oauth.net/core/1.0#nonce)) |
| oauth_consumer_key | Consumer Key provided to you when you sign up on the registration page. |
| oauth_signature_method | The signature method that you use to sign the request. This can be PLAINTEXT or HMAC-SHA1. |
| oauth_signature | The concatenated Consumer Secret and Token Secret separated by an "&" character. For more information about signing requests, refer to Signing Requests to Yahoo. |
同时来自阮一峰的一篇非常好的文章 理解OAuth 2.0
