我一直在探索我目前正在处理的RET API的OAuth版本1.0。

我有3个身份验证方案

  1. 这涉及3个缔约方,服务提供商,消费者和用户。3腿的OAuth符合此方案。
  2. 2个缔约方涉及,消费者和服务提供商。这是一个方案,其中2条腿的OAuth是最适用的,如果是这样的过程,因为这个过程和HTTP基本身份验证基于我的理解几乎没有区别。
  3. 我也在创建一种特殊类型的用户,可以随时访问当前登录用户的数据,而无需用户的授权。在仍然实施OAuth时,这种情况如何适合图片。

    使用这种情况?如何整洁地实施OAuth,这怎样才能帮助我了解3条腿和2条腿的OAuth进程?

有帮助吗?

解决方案

Number 1: Correct, just use the typical 3-legged oauth flow.

Number 2. 2-legged oauth is pretty much the same as http-basic, except that the oauth signature gives you protection agains MITM attacks (but if you use http-basic over TLS than you get the same protection). The process for 2-legged oauth is just the signing of the request with the consumer key/secret which is synonymous with a username/password over http basic.

Number 3. I'm not 100% clear on what you mean here, but it sounds similar to how google uses 2-legged oauth for google apps domains. Take a look at their documentation here: https://developers.google.com/accounts/docs/OAuth#GoogleAppsOAuth

Have you looked into OAuth 2.0? It's still in draft, but it has a lot more flexibility for different scenarios. May be something to consider. http://oauth.net/2/

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top