简单来说,有人能解释一下OAuth 2和OAuth 1之间的区别吗?

OAuth 1现在过时了吗?我们应该实现OAuth 2吗?我没有看到很多OAuth 2的实现;大多数人仍在使用OAuth 1,这让我怀疑OAuth 2是否可以使用。是吗?


当前回答

一旦生成了令牌,实际的API调用就不需要OAuth 2.0签名。它只有一个安全令牌。

OAuth 1.0要求客户端为每个API调用发送两个安全令牌,并使用它们来生成签名。它要求受保护的资源端点能够访问客户端凭据,以便验证请求。

下面介绍OAuth 1.0和2.0之间的区别以及两者的工作方式。

其他回答

从安全的角度来看,我选择OAuth 1。参见OAuth 2.0和地狱之路。

引用这个链接:

"If you are currently using 1.0 successfully, ignore 2.0. It offers no real value over 1.0 (I’m guessing your client developers have already figured out 1.0 signatures by now). If you are new to this space, and consider yourself a security expert, use 2.0 after careful examination of its features. If you are not an expert, either use 1.0 or copy the 2.0 implementation of a provider you trust to get it right (Facebook’s API documents are a good place to start). 2.0 is better for large scale, but if you are running a major operation, you probably have some security experts on site to figure it all out for you."

OAuth 2显然是在浪费时间(来自一个参与其中的人):

https://gist.github.com/nckroy/dd2d4dfc86f7d13045ad715377b6a48f

他说(为简洁起见,加粗了):

...I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing. ...At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it. ...When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure. To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.

OAuth 2.0承诺在以下方面简化事情:

SSL is required for all the communications required to generate the token. This is a huge decrease in complexity because those complex signatures are no longer required. Signatures are not required for the actual API calls once the token has been generated -- SSL is also strongly recommended here. Once the token was generated, OAuth 1.0 required that the client send two security tokens on every API call, and use both to generate the signature. OAuth 2.0 has only one security token, and no signature is required. It is clearly specified which parts of the protocol are implemented by the "resource owner," which is the actual server that implements the API, and which parts may be implemented by a separate "authorization server." That will make it easier for products like Apigee to offer OAuth 2.0 support to existing APIs.

来源:http://blog.apigee.com/detail/oauth_differences

我在这里看到了很好的答案,但我错过了一些图表,因为我必须使用Spring Framework,所以我看到了它们的解释。

我发现下面的图表很有用。它们说明了使用OAuth2和OAuth1的各方之间通信的差异。


OAuth 2


OAuth 1

如果你需要一些高级解释,你需要阅读这两个规范:

https://oauth.net/core/1.0a/

https://oauth.net/2/

正如您将看到的,有几个概念上的差异。

如果你需要使用oauth1或oauth2来消费或发布某个服务,这里我向你展示了一个技术上的区别:

OAuth 1.0流程

客户端应用程序向提供者注册,比如Twitter。 Twitter为客户端提供了该应用程序独有的“消费者秘密”。 客户端应用程序用其独特的“消费者秘密”向Twitter签署所有OAuth请求。 如果任何OAuth请求格式不正确、缺少数据或签名不正确,该请求将被拒绝。

OAuth 2.0流程

客户端应用程序向提供者注册,比如Twitter。 Twitter为客户端提供了该应用程序独有的“客户端秘密”。 客户端应用程序包含“客户端秘密”的每个请求通常作为http头。 如果任何OAuth请求格式不正确、缺少数据或包含错误的秘密,该请求将被拒绝。

来源:

https://www.synopsys.com/blogs/software-security/oauth-2-0-vs-oauth-1-0/