.NET 中带验证的 OAuth [英] OAuth with Verification in .NET
问题描述
我正在尝试创建一个基于 .NET 的客户端应用程序(在 WPF 中 - 虽然目前我只是将它作为一个控制台应用程序来做)以与启用 OAuth 的应用程序集成,特别是 Mendeley(".oauth 规范说你需要打包一组 oauth 参数(token、token_secret、nonce、timestamp、consumer_key、version 和 callback),以某种方式(url 编码并用 & 符号连接),并按字典顺序 -排序顺序,在该结果上生成一个签名,然后将这些相同的参数与签名一起打包,以不同的方式(用逗号连接)存储在新的 oauth_signature 参数中.OAuth 管理器类会自动为您执行此操作. 它会自动生成随机数和时间戳以及版本和签名 - 您的应用不需要关心或知道这些东西.只需设置 oauth 参数值并进行简单的方法调用.manager 类发出请求并为您解析响应.
好的,然后呢?获得请求令牌后,您会弹出 Web 浏览器 UI,用户将在其中明确授予批准.如果你做对了,你会在嵌入式浏览器中弹出它.对于 Twitter,其 URL 是https://api.twitter.com/oauth/authorize?oauth_token=" 并附加了 oauth_token.在代码中这样做:
var url = SERVICE_SPECIFIC_AUTHORIZE_URL_STUB + oauth["token"];webBrowser1.Url = 新 Uri(url);(如果您在外部浏览器中执行此操作,您将使用 System.Diagnostics.Process.Start(url).)
设置 Url 属性会导致 WebBrowser 控件自动导航到该页面.
当用户单击允许"按钮时,将加载一个新页面.它是一个 HTML 表单,它的工作方式与在完整浏览器中的工作方式相同.在您的代码中,为 WebBrowser 控件的 DocumentedCompleted 事件注册一个处理程序,并在该处理程序中获取 pin:
var divMarker = "";//twitter 的 oauth pin 的 divvar index = webBrowser1.DocumentText.LastIndexOf(divMarker) + divMarker.Length;var snip = web1.DocumentText.Substring(index);var pin = RE.Regex.Replace(snip,"(?s)[^0-9]*([0-9]+).*", "$1").Trim();这有点像 HTML 屏幕抓取.
在获取 pin 后,您不再需要网络浏览器,因此:
webBrowser1.Visible = false;//全部通过 Web UI 完成
...而且您可能还想对它调用 Dispose().
下一步是获取访问令牌,方法是发送另一条 HTTP 消息和该 PIN 码.这是另一个签名的 oauth 调用,使用我上面描述的 oauth 排序和格式构造.但是再一次,这对于 OAuth.Manager 类来说非常简单:
oauth.AcquireAccessToken(URL_ACCESS_TOKEN,邮政",别针);
对于 Twitter,该 URL 是https://api.twitter.com/oauth/access_token".
现在您拥有访问令牌,您可以在签名的 HTTP 请求中使用它们.像这样:
var authzHeader = oauth.GenerateAuthzHeader(url, "POST");
...其中 url 是资源端点.要更新用户的状态,它将是 "http://api.twitter.com/1/statuses/update.xml?status=Hello".
然后将该字符串设置到名为 Authorization 的 HTTP 标头中.
要与第三方服务(如 TwitPic)交互,您需要构建一个稍微不同的 OAuth 标头,如下所示:
var authzHeader = oauth.GenerateCredsHeader(URL_VERIFY_CREDS,得到",AUTHENTICATION_REALM);
对于 Twitter,验证凭据 url 和领域的值是https://api.twitter.com/1/account/verify_credentials.json"和http://api.twitter.com/".
...并将那个授权字符串放在一个名为 X-Verify-Credentials-Authorization 的 HTTP 标头中.然后将它连同您发送的任何请求一起发送到您的服务,例如 TwitPic.
就是这样.
总的来说,更新推特状态的代码可能是这样的:
//获取临时请求令牌"的URLvar rtUrl = "https://api.twitter.com/oauth/request_token";var oauth = new OAuth.Manager();//consumer_{key,secret} 通过注册获得oauth["consumer_key"] = "~~~CONSUMER_KEY~~~~";oauth["consumer_secret"] = "~~~CONSUMER_SECRET~~~";oauth.AcquireRequestToken(rtUrl, "POST");var authzUrl = "https://api.twitter.com/oauth/authorize?oauth_token=" + oauth["token"];//在这里,应该使用 WebBrowser 控件.System.Diagnostics.Process.Start(authzUrl);//仅示例!//指示用户从该浏览器窗口输入 PINvar pin = "...";var atUrl = "https://api.twitter.com/oauth/access_token";oauth.AcquireAccessToken(atUrl, "POST", pin);//现在,使用该访问令牌更新 Twitter 状态var appUrl = "http://api.twitter.com/1/statuses/update.xml?status=Hello";var authzHeader = oauth.GenerateAuthzHeader(appUrl, "POST");var request = (HttpWebRequest)WebRequest.Create(appUrl);request.Method = "POST";request.PreAuthenticate = true;request.AllowWriteStreamBuffering = true;request.Headers.Add("授权", authzHeader);使用 (var response = (HttpWebResponse)request.GetResponse()){if (response.StatusCode != HttpStatusCode.OK)MessageBox.Show("发送推文时出现问题:" +环境.NewLine +response.StatusDescription);}
OAuth 1.0a 在幕后有点复杂,但使用它并不需要如此.OAuth.Manager 处理传出 oauth 请求的生成,以及响应中 oauth 内容的接收和处理.当 Request_token 请求为您提供 oauth_token 时,您的应用程序不需要存储它.Oauth.Manager 足够智能,可以自动执行此操作.同样,当 access_token 请求取回访问令牌和机密时,您不需要显式存储它们.OAuth.Manager 为您处理该状态.
在后续运行中,当您已经拥有访问令牌和密码时,您可以像这样实例化 OAuth.Manager:
var oauth = new OAuth.Manager();oauth["consumer_key"] = CONSUMER_KEY;oauth["consumer_secret"] = CONSUMER_SECRET;oauth["token"] = your_stored_access_token;oauth["token_secret"] = your_stored_access_secret;
...然后如上生成授权标头.
//现在,使用该访问令牌更新 Twitter 状态var appUrl = "http://api.twitter.com/1/statuses/update.xml?status=Hello";var authzHeader = oauth.GenerateAuthzHeader(appUrl, "POST");var request = (HttpWebRequest)WebRequest.Create(appUrl);request.Method = "POST";request.PreAuthenticate = true;request.AllowWriteStreamBuffering = true;request.Headers.Add("授权", authzHeader);使用 (var response = (HttpWebResponse)request.GetResponse()){if (response.StatusCode != HttpStatusCode.OK)MessageBox.Show("发送推文时出现问题:" +环境.NewLine +response.StatusDescription);}
您可以此处下载包含 OAuth.Manager 类的 DLL.该下载中还有一个帮助文件.或者您可以在线查看帮助文件.
查看使用此管理器的 Windows 窗体示例此处.
<小时>工作示例
下载使用类和技术的命令行工具的工作示例此处描述:
I'm trying to create a .NET-based client app (in WPF - although for the time being I'm just doing it as a console app) to integrate with an OAuth-enabled application, specifically Mendeley (http://dev.mendeley.com), which apparently uses 3-legged OAuth.
This is my first time using OAuth, and I'm having a lot of difficulty getting started with it. I've found several .NET OAuth libraries or helpers, but they seem to be more complicated than I think I need. All I want to do is be able to issue REST requests to the Mendeley API and get responses back!
So far, I've tried:
- DotNetOpenAuth
- http://github.com/bittercoder/DevDefined.OAuth
- http://oauth.googlecode.com/svn/code/csharp/
The first (DotNetOpenAuth) seems like it could possibly do what I needed if I spent hours and hours trying to work out how. The second and third, as best I can tell, don't support the verification codes that Mendeley is sending back -- although I could be wrong about this :)
I've got a consumer key and secret from Mendeley, and with DotNetOpenAuth I managed to get a browser launched with the Mendeley page providing a verification code for the user to enter into the application. However, at this point I got lost and couldn't work out how to sensibly provide that back to the application.
I'm very willing to admit that I have no idea where to start with this (although it seems like there's quite a steep learning curve) - if anyone can point me in the right direction I'd appreciate it!
解决方案 I agree with you. The open-source OAuth support classes available for .NET apps are hard to understand, overly complicated (how many methods are exposed by DotNetOpenAuth?), poorly designed (look at the methods with 10 string parameters in the OAuthBase.cs module from that google link you provided - there's no state management at all), or otherwise unsatisfactory.
It doesn't need to be this complicated.
I'm not an expert on OAuth, but I have produced an OAuth client-side manager class, that I use successfully with Twitter and TwitPic. It's relatively simple to use. It's open source and available here: Oauth.cs
For review, in OAuth 1.0a...kinda funny, there's a special name and it looks like a "standard" but as far as I know the only service that implements "OAuth 1.0a" is Twitter. I guess that's standard enough. ok, anyway in OAuth 1.0a, the way it works for desktop apps is this:
You, the developer of the app, register the app and get a "consumer key" and "consumer secret". On Arstechnica, there's a well written analysis of why this model isn't the best, but as they say, it is what it is.
Your app runs. The first time it runs, it needs to get the user to explicitly grant approval for the app to make oauth-authenticated REST requests to Twitter and its sister services (like TwitPic). To do this you must go through an approval process, involving explicit approval by the user. This happens only the first time the app runs. Like this:
- request a "request token". Aka temporary token.
- pop a web page, passing that request token as a query param. This web page presents UI to the user, asking "do you want to grant access to this app?"
- the user logs in to the twitter web page, and grants or denies access.
- the response html page appears. If the user has granted access, there's a PIN displayed in a 48-pt font
- the user now needs to cut/paste that pin into a windows form box, and click "Next" or something similar.
- the desktop app then does an oauth-authenticated request for an "Access token". Another REST request.
- the desktop app receives the "access token" and "access secret".
After the approval dance, the desktop app can just use the user-specific "access token" and "access secret" (along with the app-specific "consumer key" and "consumer secret") to do authenticated requests on behalf of the user to Twitter. These don't expire, although if the user de-authorizes the app, or if Twitter for some reason de-authorizes your app, or if you lose your access token and/or secret, you'd need to do the approval dance again.
If you're not clever, the UI flow can sort of mirror the multi-step OAuth message flow. There is a better way.
Use a WebBrowser control, and open the authorize web page within the desktop app. When the user clicks "Allow", grab the response text from that WebBrowser control, extract the PIN automatically, then get the access tokens. You send 5 or 6 HTTP requests but the user needs to see only a single Allow/Deny dialog. Simple.
Like this:
If you've got the UI sorted, the only challenge that remains is to produce oauth-signed requests. This trips up lots of people because the oauth signing requirements are sort of particular. That's what the simplified OAuth Manager class does.
Example code to request a token:
var oauth = new OAuth.Manager();
// the URL to obtain a temporary "request token"
var rtUrl = "https://api.twitter.com/oauth/request_token";
oauth["consumer_key"] = MY_APP_SPECIFIC_KEY;
oauth["consumer_secret"] = MY_APP_SPECIFIC_SECRET;
oauth.AcquireRequestToken(rtUrl, "POST");
THAT'S IT. Simple. As you can see from the code, the way to get to oauth parameters is via a string-based indexer, something like a dictionary. The AcquireRequestToken method sends an oauth-signed request to the URL of the service that grants request tokens, aka temporary tokens. For Twitter, this URL is "https://api.twitter.com/oauth/request_token". The oauth spec says you need to pack up the set of oauth parameters (token, token_secret, nonce, timestamp, consumer_key, version, and callback), in a certain way (url-encoded and joined by ampersands), and in a lexicographically-sorted order, generate a signature on that result, then pack up those same parameters along with the signature, stored in the new oauth_signature parameter, in a different way (joined by commas). The OAuth manager class does this for you automatically. It generates nonces and timestamps and versions and signatures automatically - your app doesn't need to care or be aware of that stuff. Just set the oauth parameter values and make a simple method call. the manager class sends out the request and parses the response for you.
Ok, then what? Once you get the request token, you pop the web browser UI in which the user will explicitly grant approval. If you do it right, you'll pop this in an embedded browser. For Twitter, the URL for this is "https://api.twitter.com/oauth/authorize?oauth_token=" with the oauth_token appended. Do this in code like so:
var url = SERVICE_SPECIFIC_AUTHORIZE_URL_STUB + oauth["token"];
webBrowser1.Url = new Uri(url);
(If you were doing this in an external browser you'd use System.Diagnostics.Process.Start(url).)
Setting the Url property causes the WebBrowser control to navigate to that page automatically.
When the user clicks the "Allow" button a new page will be loaded. It's an HTML form and it works the same as in a full browser. In your code, register a handler for the DocumentedCompleted event of the WebBrowser control, and in that handler, grab the pin:
var divMarker = "<div id="oauth_pin">"; // the div for twitter's oauth pin
var index = webBrowser1.DocumentText.LastIndexOf(divMarker) + divMarker.Length;
var snip = web1.DocumentText.Substring(index);
var pin = RE.Regex.Replace(snip,"(?s)[^0-9]*([0-9]+).*", "$1").Trim();
That's a bit of HTML screen scraping.
After grabbing the pin, you don't need the web browser any more, so:
webBrowser1.Visible = false; // all done with the web UI
...and you might want to call Dispose() on it as well.
The next step is getting the access token, by sending another HTTP message along with that pin. This is another signed oauth call, constructed with the oauth ordering and formatting I described above. But once again this is really simple with the OAuth.Manager class:
oauth.AcquireAccessToken(URL_ACCESS_TOKEN,
"POST",
pin);
For Twitter, that URL is "https://api.twitter.com/oauth/access_token".
Now you have access tokens, and you can use them in signed HTTP requests. Like this:
var authzHeader = oauth.GenerateAuthzHeader(url, "POST");
...where url is the resource endpoint. To update the user's status, it would be "http://api.twitter.com/1/statuses/update.xml?status=Hello".
Then set that string into the HTTP Header named Authorization.
To interact with third-party services, like TwitPic, you need to construct a slightly different OAuth header, like this:
var authzHeader = oauth.GenerateCredsHeader(URL_VERIFY_CREDS,
"GET",
AUTHENTICATION_REALM);
For Twitter, the values for the verify creds url and realm are "https://api.twitter.com/1/account/verify_credentials.json", and "http://api.twitter.com/" respectively.
...and put that authorization string in an HTTP header called X-Verify-Credentials-Authorization. Then send that to your service, like TwitPic, along with whatever request you're sending.
That's it.
All together, the code to update twitter status might be something like this:
// the URL to obtain a temporary "request token"
var rtUrl = "https://api.twitter.com/oauth/request_token";
var oauth = new OAuth.Manager();
// The consumer_{key,secret} are obtained via registration
oauth["consumer_key"] = "~~~CONSUMER_KEY~~~~";
oauth["consumer_secret"] = "~~~CONSUMER_SECRET~~~";
oauth.AcquireRequestToken(rtUrl, "POST");
var authzUrl = "https://api.twitter.com/oauth/authorize?oauth_token=" + oauth["token"];
// here, should use a WebBrowser control.
System.Diagnostics.Process.Start(authzUrl); // example only!
// instruct the user to type in the PIN from that browser window
var pin = "...";
var atUrl = "https://api.twitter.com/oauth/access_token";
oauth.AcquireAccessToken(atUrl, "POST", pin);
// now, update twitter status using that access token
var appUrl = "http://api.twitter.com/1/statuses/update.xml?status=Hello";
var authzHeader = oauth.GenerateAuthzHeader(appUrl, "POST");
var request = (HttpWebRequest)WebRequest.Create(appUrl);
request.Method = "POST";
request.PreAuthenticate = true;
request.AllowWriteStreamBuffering = true;
request.Headers.Add("Authorization", authzHeader);
using (var response = (HttpWebResponse)request.GetResponse())
{
if (response.StatusCode != HttpStatusCode.OK)
MessageBox.Show("There's been a problem trying to tweet:" +
Environment.NewLine +
response.StatusDescription);
}
OAuth 1.0a is sort of complicated under the covers, but using it doesn't need to be.
The OAuth.Manager handles the generation of outgoing oauth requests, and the receiving and processing of oauth content in the responses. When the Request_token request gives you an oauth_token, your app doesn't need to store it. The Oauth.Manager is smart enough to do that automatically. Likewise when the access_token request gets back an access token and secret, you don't need to explicitly store those. The OAuth.Manager handles that state for you.
In subsequent runs, when you already have the access token and secret, you can instantiate the OAuth.Manager like this:
var oauth = new OAuth.Manager();
oauth["consumer_key"] = CONSUMER_KEY;
oauth["consumer_secret"] = CONSUMER_SECRET;
oauth["token"] = your_stored_access_token;
oauth["token_secret"] = your_stored_access_secret;
...and then generate authorization headers as above.
// now, update twitter status using that access token
var appUrl = "http://api.twitter.com/1/statuses/update.xml?status=Hello";
var authzHeader = oauth.GenerateAuthzHeader(appUrl, "POST");
var request = (HttpWebRequest)WebRequest.Create(appUrl);
request.Method = "POST";
request.PreAuthenticate = true;
request.AllowWriteStreamBuffering = true;
request.Headers.Add("Authorization", authzHeader);
using (var response = (HttpWebResponse)request.GetResponse())
{
if (response.StatusCode != HttpStatusCode.OK)
MessageBox.Show("There's been a problem trying to tweet:" +
Environment.NewLine +
response.StatusDescription);
}
You can download a DLL containing the OAuth.Manager class here. There is also a helpfile in that download. Or you can view the helpfile online.
See an example of a Windows Form that uses this manager here.
WORKING EXAMPLE
Download a working example of a command-line tool that uses the class and technique described here:
这篇关于.NET 中带验证的 OAuth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
