已安装应用程序的 OAuth 请求令牌

发布于 2024-08-15 00:59:49 字数 675 浏览 6 评论 0原文

我正在尝试使用/理解 Google 请求令牌机制。我打算将其用于我已开始开发的应用程序,以使用 OpenSocial API 访问 Orkut 数据。

我阅读了这篇文档,其中解释了获取令牌的步骤安装的应用程序。本文档告诉您使用 Google OAuth API 中的 OAuthGetRequestToken 方法来获取请求令牌。访问此函数的手册(在此处提供)。但是必需的参数 oauth_consumer_key 要求“标识第三方 Web 应用程序的域”,但是我没有域,它是一个已安装的应用程序。

所以我的问题是,在这种情况下我应该在这个参数中输入什么?

我正在使用 oauth_playground 来运行我的测试。

谢谢

I'm trying to use/understand Google request token mechanism. I intend to use it for an application I've start to develop to access Orkut data using OpenSocial API.

I read this document that explains the steps to obtain a token for an installed application. This document tells you to use the OAuthGetRequestToken method from Google OAuth API to acquire a request token . Accessing the manual of this function (available here). But the parameter oauth_consumer_key, which is required, asks for the "Domain identifying the third-party web application", but I don,t have a domain, it is an installed application.

So my question is, what should I put in this parameter in that case?

I'm using oauth_playground to run my tests.

Thx

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

聚集的泪 2024-08-22 00:59:49

根据我在文档中阅读的内容,以下有关获取请求令牌的说明意味着您只需将“匿名”作为消费者密钥传递...

“1.安装的应用程序联系 Google 授权服务,要求提供请求令牌一项或多项 Google 服务使用“匿名”消费者密钥/秘密进行签名。” (OAuthForInstalledApps)

From what i have read in the documentation, the following instruction on getting a request token implies that you simply pass 'anonymous' as the consumer key...

"1.The installed application contacts the Google Authorization service, asking for a request token for one or more Google service. The request is signed using the "anonymous" consumer key/secret." (OAuthForInstalledApps)

月光色 2024-08-22 00:59:49

诀窍是创建一个混合身份验证过程。您在自己拥有的域中注册 Web 应用程序,通过 Web 应用程序的 OAuth 流程向用户授权 Web 应用程序,然后实现一种机制,让他们安装的应用程序可以从 Web 应用程序获取该授权。

我对此的想法是,安装的应用程序会向您的网站发送密钥对请求。它将收到一个启动密钥和一个授权密钥,您可以将这两个密钥存储在网站的数据库中以供一次性使用。

然后,该应用程序将使用任何机制来启动外部浏览器,将其指向
yourdomain.com/authorizestart.php?initiate=[启动代码]。该网站将代码存储在会话变量中,然后将用户发送到 Google 进行身份验证。当身份验证成功并且 Google 向用户发送回下一个令牌时,您将其存储在与启动密钥相关的数据库条目中。

用户关闭浏览器,单击应用程序中的“完成”按钮,然后应用程序将请求发送到 yourdomain.com/tokenretrieve.php?authorize=[authorize key]

您的网站查找 Google 令牌并将其传回,应用程序完成 Oauth 过程。

问题是您必须与应用程序共享您在注册过程中创建的“消费者秘密”。有人可能会对其进行反编译或尝试捕获其输出并发现您的密钥,该密钥是加密 Google 服务器响应的方法的一部分。也就是说,这比使用“匿名”作为您的消费者秘密更糟糕吗?

The trick is to create a hybrid auth process. You register a web app at a domain you own, authorize users for a web app via the OAuth for Web Apps process, then implement a mechanism by which their installed app can pick up that authorization from the web app.

My thinking on this would be that the installed app would send your site a request for a keypair. It would receive an initiate key and an authorize key, both of which you'd store in a database at the web site for one time use.

The app would then use whatever mechanism to launch an external browser, pointing it to
yourdomain.com/authorizestart.php?initiate=[initiate code]. The site stores the code in a session variable, then sends the user off to Google to authenticate. When authentication is successful and Google sends the user back with the next token, you store it in the database entry related to the initiate key.

The user closes the browser, clicks a "done" button in your app, and the app then sends a request to yourdomain.com/tokenretrieve.php?authorize=[authorize key]

Your site looks up the Google token and transmits it back, the app completes the Oauth process.

The issue with this is that you have to share the "consumer secret" you created in the registration process with the app. Someone could decompile it or try to capture its output and discover your secret key which is part of the method for encrypting responses from the Google servers. That said, how is that worse than using "anonymous" as your consumer secret?

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文