OAuth 2 和 OAuth 1 有何不同?
问题说明
用非常简单的术语来说,有人能解释一下 OAuth 2 和 OAuth 1 之间的区别吗?
In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1?
OAuth 1 现在过时了吗?我们应该实施 OAuth 2 吗?我没有看到 OAuth 2 的很多实现;大多数仍在使用 OAuth 1,这让我怀疑 OAuth 2 是否可以使用.是吗?
Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it?
正确答案
Eran Hammer-Lahav 在解释其文章中的大部分差异方面做得非常出色 介绍 OAuth 2.0.总而言之,以下是主要区别:
Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences:
更多 OAuth 流程以更好地支持非基于浏览器的应用程序.这是对来自非基于浏览器的客户端应用程序的 OAuth 的主要批评.例如,在 OAuth 1.0 中,桌面应用程序或移动电话应用程序必须引导用户打开浏览器访问所需的服务,对服务进行身份验证,并将令牌从服务复制回应用程序.这里的主要批评是针对用户体验.借助 OAuth 2.0,应用程序现在可以通过新方式获得用户授权.
More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.
OAuth 2.0 不再要求客户端应用程序具有密码学.这可以追溯到旧的 Twitter Auth API,它不需要应用程序使用 HMAC 哈希令牌和请求字符串.使用 OAuth 2.0,应用程序可以仅使用已颁发的令牌通过 HTTPS 发出请求.
OAuth 2.0 no longer requires client applications to have cryptography. This hearkens back to the old Twitter Auth API, which didn't require the application to HMAC hash tokens and request strings. With OAuth 2.0, the application can make a request using only the issued token over HTTPS.
OAuth 2.0 签名要简单得多.不再需要特殊的解析、排序或编码.
OAuth 2.0 signatures are much less complicated. No more special parsing, sorting, or encoding.
OAuth 2.0 访问令牌是短暂的". 通常,OAuth 1.0 访问令牌可以存储一年或更长时间(Twitter 永远不会让它们过期).OAuth 2.0 具有刷新令牌的概念.虽然我不完全确定这些是什么,但我的猜测是您的访问令牌可能是短暂的(即基于会话),而您的刷新令牌可能是生命周期".您可以使用刷新令牌来获取新的访问令牌,而不是让用户重新授权您的应用程序.
OAuth 2.0 Access tokens are "short-lived". Typically, OAuth 1.0 Access tokens could be stored for a year or more (Twitter never let them expire). OAuth 2.0 has the notion of refresh tokens. While I'm not entirely sure what these are, my guess is that your access tokens can be short lived (i.e. session based) while your refresh tokens can be "life time". You'd use a refresh token to acquire a new access token rather than have the user re-authorize your application.
最后,OAuth 2.0 旨在明确分离负责处理 OAuth 请求的服务器和处理用户授权的服务器之间的角色.有关这方面的更多信息,请参阅上述文章.
Finally, OAuth 2.0 is meant to have a clean separation of roles between the server responsible for handling OAuth requests and the server handling user authorization. More information about that is detailed in the aforementioned article.
这篇好文章是转载于:编程之路
