沉冰浮水

沉冰浮水

做最终到的事,成为最终成为的人!
github
bilibili
mastodon
zhihu
douban
Home作品集Archives

About API and OAuth authorization verification

#微博#API#ASP57
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This article discusses API and OAuth authorization verification, specifically in relation to Tencent Weibo. It outlines the four steps involved in API authentication and accessing restricted resources, and explains how OAuth is used to verify user identity. The article also draws comparisons between OAuth and OpenID. The author notes that while the article was written in 2011, some websites in 2023 still do not properly implement OAuth authorization and instead create new accounts for users.

2023-01-02: This article is from 2011, but in 2023, there are still websites that, when using WeChat login for the first time, directly give users a new account instead of asking if they want to bind an email account...

I went to the city for some business a few days ago and found that the portable version of Firefox is still so frustrating... I didn't manage my subscriptions and accumulated a lot... I updated my blog after I came back, so those who subscribed should have noticed...

These past few days, I've been tinkering with Tencent Weibo's API (just had a blue screen once, by the way, I've been using Windows 7 for almost a year, and less than 10 blue screens, not bad for Microsoft), there's no ASP for the SDK, and I only know a little bit of ASP... So I had to try to figure it out myself. After Googling in many ways, I finally understood what OAuth is, but it always fails at runtime...

Revision: It was still OAuth 1.0 back then, and it was really torturous. It got better after 2.0.

Understanding OAuth 2.0 - Ruanyifeng's Network Diary:

https://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

The following content may not be of much value, but let's keep it for now;

API completes the process of authentication, authorization, and accessing or modifying restricted resources through the following four steps:

  1. Obtain an unauthorized Request Token (temporary credentials).
  2. Request user authorization for the Request Token.
  3. Exchange the authorized Request Token for an Access Token (token credentials).
  4. Access or modify protected resources using the Access Token.

Steps 1-3 use the HTTPS protocol, while step 4 uses the HTTP protocol.

When we register and use Tencent Weibo, our account passwords and published information are stored on Tencent Weibo's servers. However, we can retrieve the data and use it outside the platform through API interfaces. Therefore, in the first step, the application helps the user make a "reservation" with Tencent's servers, which is also a validation of the application's qualifications. Steps 2 and 3 verify the user's identity and complete the other "procedures" to retrieve the data for use outside the platform. Finally, the application can "access or modify protected resources".

It's quite similar to OpenID, except in OpenID applications, the party responsible for verifying the user's identity is only responsible for verification and does not provide resources.

Knowledge Popularization: What is "OpenID"? - Computer Network - Chen Bing Fu Shui:

[https://www.wdssmq.com/post/20100519288.html](https://www.wdssmq.com/post/20100519288.html "Knowledge Popularization: What is "OpenID"? - Computer Network - Chen Bing Fu Shui")

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.