Oauth 2.0 是否需要消费者密钥/消费者秘密 [英] Does Oauth 2.0 need consumer key/consumer secret

问题描述

很明显，在使用 OAuth 1.0 时，您需要从 API 提供者那里获取使用者密钥和使用者机密...

So evidently when using OAuth 1.0 you need to acquire consumer key and consumer secret from the API provider...

但是当我尝试使用 OAuth 2.0 API 时，例如 Facebook、Google Oauth 2.0 等，我从不需要获取消费者密钥/消费者机密(我为 Facebook 获取了 App ID 和 App 机密，但这些与消费者密钥不同/消费者秘密我说得对吗?)

But then when I try to use OAuth 2.0 APIs such as Facebook, Google Oauth 2.0, etc I never needed to acquire consumer key/consumer secret (I acquired App ID and App secret for Facebook, but those are different from consumer key/consumer secret am I correct?)

所以我的问题是……在使用 Oauth 2.0 时，您是否不需要像 Oauth 1.0 那样拥有消费者密钥/消费者秘密

So my question is...is it true that when using Oauth 2.0, you don't need to have a consumer key/consumer secret as in Oauth 1.0

此外，Oauth 2.0 也不需要签名方法(HMAC-SHA1 等)，对吗?HMAC-SHA1 仅与 Oauth 1.0 相关，对吗?

Also there are no signature methods (HMAC-SHA1 etc) necessary for Oauth 2.0, is that correct? HMAC-SHA1 is only relevant for Oauth 1.0, correct?

推荐答案

1. OAuth 2 提供商通常会为您的客户端/应用程序提供一个标识符和一些秘密/密码，OAuth 草案将这些称为 客户端标识符和客户端密钥.这些用于检查呼叫是否真的由您的应用程序发出.但是，OAuth 涵盖了不同的授权授予流程 或多或少是安全的，并不都需要某种秘密.Google 称它们为 client ID 和 client secret，Facebook 称它们为 App ID 和 App Secret，但它们都是一样.
2. 是的，所有加密步骤都在 OAuth 2 中移至服务器端.

1. OAuth 2 providers typically issue you an identifier for your client/app and some secret/password, the OAuth draft calls these client identifier and client secret. These are used to check if a call was really issued by your application. However, OAuth covers different Authorization Grant flows which are more or less secure and do not all require some kind of secret. Google calls them client ID and client secret, Facebook calls them App ID and App Secret, but they are both the same.
2. Yes, all cryptographic steps were moved to server side in OAuth 2.

这篇关于Oauth 2.0 是否需要消费者密钥/消费者秘密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！