如何为OAuth的1 OAuth的2有什么不同？ [英] How is OAuth 2 different from OAuth 1?

问题描述

在简单来说，可以有人解释的OAuth 2和OAuth 1之间的区别？

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1?

现在是OAuth的1过时了吗？应该实施的OAuth 2？我没有看到的OAuth 2的许多实现;大多数仍在使用OAuth 1，这让我怀疑的OAuth 2就可以使用了。是吗？

Is OAuth 1 obsolete now? Should be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it?

推荐答案

伊兰锤Lahav已经解释的介绍的OAuth 2.0 。总之，这里的主要区别：

Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences:

更多的OAuth流允许非基于浏览器的应用程序更好的支持。这是从没有基于浏览器的客户端应用程序对OAuth的一个主要批评。例如，在OAuth的1.0，桌面应用程序或移动电话应用不得不引导用户打开他们的浏览器到所需的服务，与服务进行认证，并从服务回应用程序复制令牌。这里的主要批评是对用户体验。使用OAuth 2.0，有一个应用程序获取授权用户现在新途径。

More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.

OAuth 2.0用户不再需要客户端应用程序有密码。这让人回想起老Twitter的API验证，而没有要求应用程序HMAC哈希令牌和请求字符串。使用OAuth 2.0，应用程序只能使用颁发的令牌通过HTTPS提出请求。

OAuth 2.0 no longer requires client applications to have cryptography. This hearkens back to the old Twitter Auth API, which didn't require the application to HMAC hash tokens and request strings. With OAuth 2.0, the application can make a request using only the issued token over HTTPS.

的OAuth 2.0签名是那么复杂。没有更多特殊的分析，排序或编码。

OAuth 2.0 signatures are much less complicated. No more special parsing, sorting, or encoding.

的OAuth 2.0访问令牌是短命。通常情况下，OAuth的1.0访问令牌可以存放一年以上（微博从来没有让他们过期）。 OAuth 2.0用户有刷新令牌的概念。虽然我不能完全肯定这是什么意思，我的猜测是，您的访问令牌可以是短暂的（即基于会话），而您的刷新令牌可以是续航时间。你会使用刷新令牌来获取新的访问令牌，而不是让用户重新授权您的应用程序。

OAuth 2.0 Access tokens are "short-lived". Typically, OAuth 1.0 Access tokens could be stored for a year or more (Twitter never let them expire). OAuth 2.0 has the notion of refresh tokens. While I'm not entirely sure what these are, my guess is that your access tokens can be short lived (i.e. session based) while your refresh tokens can be "life time". You'd use a refresh token to acquire a new access token rather than have the user re-authorize your application.

最后的OAuth 2.0是为了有负责处理OAuth的请求和服务器处理用户授权服务器之间角色的完全分离。有关更多信息，在上述文章中详细介绍。

Finally, OAuth 2.0 is meant to have a clean separation of roles between the server responsible for handling OAuth requests and the server handling user authorization. More information about that is detailed in the aforementioned article.

这篇关于如何为OAuth的1 OAuth的2有什么不同？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！