OAuth(开放授权)究竟是什么? [英] What exactly is OAuth (Open Authorization)?
问题描述
OAuth(开放授权)究竟是什么?
我从
收集了一些信息但我想学习和了解更多.我正在寻找有关生命周期的信息.为什么大多数社交网络都依赖这种开放协议?
它会在不久的将来随着各种技术(例如 ASP.NET)成为事实吗?
OAuth(开放授权)究竟是什么?
OAuth 允许通知资源提供者(例如 Facebook)资源所有者(例如您)授予第三方权限(例如 Facebook 应用程序)访问他们的信息(例如您的朋友列表).
如果你把它说得很清楚,我会理解你的困惑.那么让我们举一个具体的例子:加入另一个社交网络!
假设您有一个现有的 GMail 帐户.您决定加入领英.手动添加您所有的许多朋友既烦人又容易出错.您可能会中途厌烦或在他们的电子邮件地址中插入拼写错误以获取邀请.因此,您可能不想创建帐户.
面对这种情况,LinkedIn 有一个好主意(TM) 来编写一个程序来自动添加您的朋友列表,因为计算机在处理烦人且容易出错的任务时效率更高.既然现在加入网络如此简单,那么您不可能拒绝这样的提议,现在是吗?
如果没有用于交换此联系人列表的 API,您就必须向 LinkedIn 提供 GMail 帐户的用户名和密码,从而赋予他们过多的权力.
这就是 OAuth 的用武之地.如果您的 GMail 支持 OAuth 协议,那么领英可以要求您授权他们访问您的 GMail 联系人列表.
OAuth 允许:
- 不同的访问级别:只读 VS 读写.这允许您授予对用户列表的访问权限或双向访问权限,以自动将您的新 LinkedIn 朋友与您的 GMail 联系人同步.
- 访问粒度:您可以决定仅授予对您的联系信息(用户名、电子邮件、出生日期等)或您的整个朋友列表、日历等的访问权限.
- 它允许您从资源提供者的应用程序管理访问.如果第三方应用程序不提供取消访问的机制,您将被他们访问您的信息所困扰.借助 OAuth,可以随时撤销访问权限.
<块引用>
它会在不久的将来成为事实上的(标准?)吗?
好吧,虽然 OAuth 是向前迈出的重要一步,但如果人们没有正确使用它,它并不能解决问题.例如,如果资源提供者一次只提供对所有资源的单一读写访问级别,并且不提供管理访问的机制,那么它就没有意义.换句话说,OAuth 是一个提供授权功能的框架,而不仅仅是身份验证.
在实践中,它非常适合社交网络模型.对于那些想要允许第三方插件"的社交网络来说,它尤其受欢迎.在这个领域,访问资源本质上是必要的,但本质上也不可靠(即您对这些应用程序几乎没有质量控制或根本没有质量控制).
我还没有在野外看到这么多其他用途.我的意思是,我不知道有哪家在线财务咨询公司会自动访问您的银行记录,尽管从技术上讲,它可以使用.
What exactly is OAuth (Open Authorization)?
I have gleaned some information from
But I want to learn and know more. I'm looking for info on the lifecycle. Why do most of the social networks rely on this open protocol?
Will it become a de facto in near future with the various technologies (e.g. ASP.NET)?
What exactly is OAuth (Open Authorization)?
OAuth allows notifying a resource provider (e.g. Facebook) that the resource owner (e.g. you) grants permission to a third-party (e.g. a Facebook Application) access to their information (e.g. the list of your friends).
If you read it stated as plainly, I would understand your confusion. So let's go with a concrete example: joining yet another social network!
Say you have an existing GMail account. You decide to join LinkedIn. Adding all of your many, many friends manually is tiresome and error-prone. You might get fed up half-way or insert typos in their e-mail address for invitation. So you might be tempted not to create an account after all.
Facing this situation, LinkedIn has the Good Idea(TM) to write a program that adds your list of friends automatically because computers are far more efficient and effective at tiresome and error prone tasks. Since joining the network is now so easy, there is no way you would refuse such an offer, now would you?
Without an API for exchanging this list of contacts, you would have to give LinkedIn the username and password to your GMail account, thereby giving them too much power.
This is where OAuth comes in. If your GMail supports the OAuth protocol, then LinkedIn can ask you to authorize them to access your GMail list of contacts.
OAuth allows for:
- Different access levels: read-only VS read-write. This allows you to grant access to your user list or a bi-directional access to automatically synchronize your new LinkedIn friends to your GMail contacts.
- Access granularity: you can decide to grant access to only your contact information (username, e-mail, date of birth, etc.) or to your entire list of friends, calendar and what not.
- It allows you to manage access from the resource provider's application. If the third-party application does not provide mechanism for cancelling access, you would be stuck with them having access to your information. With OAuth, there is provision for revoking access at any time.
Will it become a de facto (standard?) in near future?
Well, although OAuth is a significant step forward, it doesn't solve problems if people don't use it correctly. For instance, if a resource provider gives only a single read-write access level to all your resources at once and doesn't provide mechanism for managing access, then there is no point to it. In other words, OAuth is a framework to provide authorization functionality and not just authentication.
In practice, it fits the social network model very well. It is especially popular for those social networks that want to allow third-party "plugins". This is an area where access to the resources is inherently necessary and is also inherently unreliable (i.e. you have little or no quality control over those applications).
I haven't seen so many other uses out in the wild. I mean, I don't know of an online financial advice firm that will access your bank records automatically, although it could technically be used that way.
这篇关于OAuth(开放授权)究竟是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
