Introduction | OAuth

Introduction

Valet Key for the Web

Many luxury cars come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will only allow the car to be driven a short distance while blocking access to the trunk and the onboard cell phone. Regardless of the restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using another key to unlock everything else.

很多高端汽车都配有一个泊车钥匙。这是给泊车服务生用的特殊钥匙，跟你的常用钥匙不同，valet key只能把车开出很短距离，而且不允许打开trunk和车载电话。先不管valet key限制了哪些功能，这个想法非常clever。你通过一个特殊钥匙给予他人对自己汽车的有限使用权，另外还有一把钥匙可以做所有其他的事。

As the web grows, more and more sites rely on distributed services and cloud computing: a photo lab printing your Flickr photos, a social network using your Google address book to look for friends, or a third-party application utilizing APIs from multiple services.

随着web的发展,很多网站越来越依赖分布式的服务和云计算:例如打印Flickr照片的photo lab,一个使用Google地址簿查找朋友的SNS应用，一个需要调用其他公司服务API做的第三方应用。

The problem is, in order for these applications to access user data on other sites, they ask for usernames and passwords. Not only does this require exposing user passwords to someone else – often the same passwords used for online banking and other sites – it also provides these application unlimited access to do as they wish. They can do anything, including changing the passwords and lock users out.

但问题是这些应用如果要使用其他站点的用户数据，他们必须提供用户名和密码。这样做不仅把用户的密码暴漏给他人，而且这些密码还可能用于网上银行等其他站点上-这样做也赋予了第三方应用完全的权限，他们想做什么都可以。甚至可以修改你的密码并lock users out。

OAuth provides a method for users to grant third-party access to their resources without sharing their passwords. It also provides a way to grant limited access (in scope, duration, etc.).

OAuth提供了一种方法允许用户授权给第三方访问他们的某些资源而不用给他们password。并且也提供了限制访问权限的方法(scope作用范围,有效期等)

For example, a web user (resource owner) can grant a printing service (client) access to her private photos stored at a photo sharing service (server), without sharing her username and password with the printing service.  Instead, she authenticates directly with the photo sharing service which issues the printing service delegation-specific credentials.

例如，一个web用户(资源所有者)可以授予在线打印服务商(client)访问他存储在照片共享服务商(server)那里的照片，而不与打印服务商分享她在网站的用户名和密码。此外，她是直接在图片共享服务网站进行验证，图片共享网站再赋予打印服务网站指定的credentials

Beyond Client-Server

In the traditional client-server authentication model, the client uses its credentials to access its resources hosted by the server. OAuth introduces a third role to this model: the resource owner. In the OAuth model, the client (which is not the resource owner, but is acting on its behalf) requests access to resources controlled by the resource owner, but hosted by the server.

在传统client-server验证模型中，client使用自己的凭据访问位于server的resources.OAuth引入了第三个角色到这个模型:resource owner.在OAuth模型里，client(不是owner，但是可以代表owner)请求访问owner控制的resources，而不是server。

In order for the client to access resources, it first has to obtain permission from the resource owner.  This permission is expressed in the form of a token and matching shared-secret.  The purpose of the token is to make it unnecessary for the resource owner to share its credentials with the client.  Unlike the resource owner credentials, tokens can be issued with a restricted scope and limited lifetime, and revoked independently.

client要访问resources,必须先从owner那里获得授权.permission由token和对应的shared-secret构成.token的作用就是让owner无须分享他的credential给client.与owner的credential不同的是，tokens可以被设定适用范围和使用周期，可以随时收回权限。

On the Beaten Path

Taking inspiration from the Microformats community, the OAuth community made an early decision to base the first version of the protocol on well-established practices. OAuth represents the combined wisdom of many proprietary industry protocols, such as Google AuthSub, Yahoo BBAuth, and Flickr API.

从Microformats community得到启示，OAuth组织决定通过行之有效的方法给protocol的第一版打下基础。OAuth汇集了很多现行industry protocols的智慧，例如 Google AuthSub, Yahoo BBAuth, and Flickr API.

Each protocol provides a different method for exchanging user credentials for a token or ticket. OAuth was created by carefully studying each of these protocols, engaging their authors, and extracting the best practices and commonality to support new implementations as well as a smooth transition for existing services to support OAuth.

每一个协议都有一套不同的方法来获取token或ticket.OAuth仔细研究了这些protocols，和这些protocol的author沟通，然后吸取最好的和共性来完成新protocol的实现。

An area where OAuth is more evolved than some of the other protocols and services is its direct handling of non-website services. OAuth has built-in support for desktop applications, mobile devices, set-top boxes, and of course websites.

OAuth的适用范围比其他protocols的更广，可以直接用于非站点的服务。OAuth内置了对desktop,mobile,机顶盒，网站的支持。

Share this:

• Twitter29
• Facebook50
• Google

 Like

• 

One blogger likes this.