Twitter OAuth 流程 - 对 oob/3-legged 身份验证和一般流程感到困惑，不需要 PIN? [英] Twitter OAuth Flow - Confused about oob/3-legged auth and general flow, don't need PIN?

问题描述

继续:设置 Twitter OAuth 没有 3rd派对图书馆

多亏了 Nylander 先生的帮助，我才设法让我的 oAuth 课程开始工作(虽然只是在很长一段时间之后)！但是，我对 oAuth 流程的几个方面感到困惑.

Thanks to Mr. Nylander's help, I managed to get my oAuth class working (albeit only after a long time)! However, I'm confused about a few aspects of the oAuth flow.

以下是我制作的程序中发生的事情的细分:

Here's a breakdown of what's happening in a program I made:

==编辑，我想我会发布部分代码，我很难用文字解释==

==edit, I think I'll post partial code, it's hard to explain with just words for me==

//1st code segment
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://api.twitter.com/oauth/request_token");
string response = "";
HttpWebResponse resp = (HttpWebResponse)request.GetResponse();
using (StreamReader reader = new StreamReader(resp.GetResponseStream()))
{
response = reader.ReadToEnd();
}

到此为止，我可以成功获得响应.

Up to this point, I can get the response successfully.

响应 --> oauth_token=asjndiqufh9uf&oauth_token_secret=oinroiqurhwunwer&oauth_callback_confirmed=true

//2nd code segment
Process proc = new Process();
proc.StartInfo.UseShellExecute = true;
proc.StartInfo.FileName = "https://api.twitter.com/oauth/authenticate?" + response;
proc.Start();

这会将用户(我)带到一个页面，我必须在其中选择是否要对其进行授权.如果我同意，我将被带到一个包含 PIN 的页面.

This brings the user(me) to a page where I have to choose whether I want to authorize it or not. If I agree, I'll then be taken to a page which contains a PIN.

//3rd code segment
Console.WriteLine("Enter the PIN");
string pin = Console.ReadLine();
baseString = generateBaseString("POST", "https://api.twitter.com/oauth/access_token", oauth_token);
oauth_signature = generateSignature(baseString, oauth_token_secret);

HttpWebRequest request2 = (HttpWebRequest)WebRequest.Create("https://api.twitter.com/oauth/access_token");
request2.Method = "POST";
request2.Headers["Authorization"] = generateAuthorizationHeader(oauth_token);
string response2 = "";
HttpWebResponse resp2 = (HttpWebResponse)request2.GetResponse();
using (StreamReader reader = new StreamReader(resp2.GetResponseStream()))
{
response2 = reader.ReadToEnd();
}
        Console.WriteLine(response2);

    }

此处的代码只是要求将 PIN 输入到应用程序中，然后在 response2 中返回最终的 oauth_token 和 oauth_token_secret，以便完全运行 oAuth 应用程序.(tl;dr - 此时，应用程序已经拥有它需要的所有令牌)

The code here just requests for the PIN to be entered into the application and then returns the final oauth_token and oauth_token_secret in response2 for a fully working oAuth app. (tl;dr - At this point, the app already has ALL the tokens it needs)

-如果我在第二个代码段期间没有登录，无论我是否输入 PIN，我都会收到 401 Unauthorized 错误，我猜这是意料之中的.

-If I have NOT logged in during the second code segment, regardless of wether I enter a PIN or not, I get a 401 Unauthorized error, I'm guessing this is expected.

-如果我在第二个代码段中登录并被定向到 PIN 页面，但后来选择不输入 PIN/在我的应用程序中输入一些错误的 PIN，我仍然成功通过身份验证并可以获得最终的令牌没有任何问题.为什么?

-If I have logged in during the second code segment and have been directed to the PIN page, but then chose NOT to enter the PIN/enter some wrong PIN into my application, I still get successfully authenticated and can get the final tokens without any problems. Why?

-我是在进行 3-legged oAuth 还是 OOB oAuth?

-那我为什么需要 PIN 码?

-我应该如何正确使用 PIN(如果需要)?

-我应该如何在没有 PIN 的情况下进行身份验证(如果我不需要它)?

-如何使用户在验证一次后不会总是看到 PIN 页面?我可以在第一个请求中放置一个回调，但是如果我根本不希望用户被重定向到任何页面怎么办?

推荐答案

我是在进行 3-legged oAuth 还是 OOB oAuth?

Am I doing a 3-legged oAuth or an OOB oAuth?

你两者都在做.3-legged 意味着您涉及用户，2-legged 是企业对企业或服务对服务.OOB(带外)意味着您会自动触发基于 PIN 的身份验证方案.基本上，这意味着您是说如果没有用户手动将其作为 PIN 输入，您将无法接收正常的 oauth_verifier 参数.

You are doing both. 3-legged means you are involving a user, 2-legged is business to business, or service to service. OOB (Out of band) means that you automatically trigger the PIN-based authentication scheme. Basically this means that you are saying that you cannot receive the normal oauth_verifier parameter without the user manually entering it as a PIN.

那我为什么需要 PIN 码?

Why would I need the PIN then?

您获得 PIN 是因为您将回调声明为 OOB.如果您设置了真正的回调，则可以改为直接将 oauth_verifier 接收到您的应用程序.

You get the PIN because you are stating your callback as OOB. If you set up a real callback you can instead receive the oauth_verifier directly to your application.

我应该如何正确使用 PIN(如果需要)?

How am I supposed to use the PIN correctly (if I need it)?

您在下一步中使用它，当将请求令牌交换为访问令牌时，您将它作为 oauth_verifier 在请求中传递.

You use it in the next step, when exchanging the request token for an access token you pass it along in the request as the oauth_verifier.

在没有 PIN 的情况下我应该如何进行身份验证(如果我不需要它)?

How am I supposed to authenticate without the PIN (if I DON'T need it)?

您需要 PIN，或者如果您使用真正的回调，则需要 oauth_verifier.它们是一样的，唯一的区别是 PIN 会打印在屏幕上，以便用户可以将其复制粘贴到您的应用程序中，而 oauth_verifier 会被您的应用程序自动选取.

You need the PIN, or if you use a real callback, the oauth_verifier. They are the same thing, the only difference is that the PIN gets printed on the screen so a user can copy-paste it into your application, while the oauth_verifier is automatically picked up by your application.

如何让用户在验证一次后不会总是看到 PIN 页面?我可以在第一个请求中放置一个回调，但是如果我根本不希望用户被重定向到任何页面怎么办?

How do I make it so that users won't always see the PIN page after authenticating one time? I could put a callback in the very first request, but what if I don't want the user to get redirected to ANY page at all?

您使用一个真正的回调来拦截并使用 oauth_verifier.

You use a real callback that intercepts and uses the oauth_verifier.

-如果我在第二个代码段中登录并被定向到 PIN 页面，但后来选择不输入 PIN/在我的应用程序中输入一些错误的 PIN，我仍然成功通过身份验证并可以获得最终的令牌没有任何问题.为什么?

-If I have logged in during the second code segment and have been directed to the PIN page, but then chose NOT to enter the PIN/enter some wrong PIN into my application, I still get successfully authenticated and can get the final tokens without any problems. Why?

这根本不可能是真的.这一定有一个很好的理由，也许您的应用程序已经有一个访问令牌并且只是使用它?

This simply cannot be true. There must be a good reason for this, perhaps your app already has an access token and simply uses it?

这篇关于Twitter OAuth 流程 - 对 oob/3-legged 身份验证和一般流程感到困惑，不需要 PIN?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！