是否OAuth 2.0用户需求的消费者键/消费者的秘密 [英] Does Oauth 2.0 need consumer key/consumer secret
问题描述
所以很显然,使用OAuth 1.0,当您需要获得消费者从API提供者密钥和消费者秘密...
但后来当我尝试使用OAuth 2.0 API,如Facebook,谷歌的Oauth 2.0,等我从来没有获得消费者的键/消费者的秘密需要(我收购了Facebook的应用程序ID和App秘密,但这些都是从消费者的重点不同/消费者的秘密我是正确的?)
所以我的问题是...是真的,使用OAuth 2.0的时候,你并不需要有消费者键/消费者的秘密中的Oauth 1.0
也没有签名方法(HMAC-SHA1等)所必需的OAuth 2.0用户,是正确的? HMAC-SHA1仅是OAuth 1.0相关的,对不对?
- 2的OAuth供应商通常发出您的客户端/应用程序和一些秘密/密码的标识,OAuth的草案要求这些的 客户端标识符的和的客户端密钥的。这些都是用来检查一个电话真的被你的应用程序发出。然而,OAuth的涵盖不同的授权格兰特流这或多或少安全不要都需要某种秘密。谷歌称他们的客户端ID 的和的客户端密钥的,Facebook的称他们的应用程序ID 和应用揭秘的,但他们都一样的。
- 是的,所有的加密步骤,在OAuth的2移到服务器端。
So evidently when using OAuth 1.0 you need to acquire consumer key and consumer secret from the API provider...
But then when I try to use OAuth 2.0 APIs such as Facebook, Google Oauth 2.0, etc I never needed to acquire consumer key/consumer secret (I acquired App ID and App secret for Facebook, but those are different from consumer key/consumer secret am I correct?)
So my question is...is it true that when using Oauth 2.0, you don't need to have a consumer key/consumer secret as in Oauth 1.0
Also there are no signature methods (HMAC-SHA1 etc) necessary for Oauth 2.0, is that correct? HMAC-SHA1 is only relevant for Oauth 1.0, correct?
- OAuth 2 providers typically issue you an identifier for your client/app and some secret/password, the OAuth draft calls these client identifier and client secret. These are used to check if a call was really issued by your application. However, OAuth covers different Authorization Grant flows which are more or less secure and do not all require some kind of secret. Google calls them client ID and client secret, Facebook calls them App ID and App Secret, but they are both the same.
- Yes, all cryptographic steps were moved to server side in OAuth 2.
这篇关于是否OAuth 2.0用户需求的消费者键/消费者的秘密的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
