简单来说,有人能解释一下OAuth 2和OAuth 1之间的区别吗?
OAuth 1现在过时了吗?我们应该实现OAuth 2吗?我没有看到很多OAuth 2的实现;大多数人仍在使用OAuth 1,这让我怀疑OAuth 2是否可以使用。是吗?
简单来说,有人能解释一下OAuth 2和OAuth 1之间的区别吗?
OAuth 1现在过时了吗?我们应该实现OAuth 2吗?我没有看到很多OAuth 2的实现;大多数人仍在使用OAuth 1,这让我怀疑OAuth 2是否可以使用。是吗?
当前回答
OAuth 2显然是在浪费时间(来自一个参与其中的人):
https://gist.github.com/nckroy/dd2d4dfc86f7d13045ad715377b6a48f
他说(为简洁起见,加粗了):
...I can no longer be associated with the OAuth 2.0 standard. I resigned my role as lead author and editor, withdraw my name from the specification, and left the working group. Removing my name from a document I have painstakingly labored over for three years and over two dozen drafts was not easy. Deciding to move on from an effort I have led for over five years was agonizing. ...At the end, I reached the conclusion that OAuth 2.0 is a bad protocol. WS-* bad. It is bad enough that I no longer want to be associated with it. ...When compared with OAuth 1.0, the 2.0 specification is more complex, less interoperable, less useful, more incomplete, and most importantly, less secure. To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.
其他回答
一旦生成了令牌,实际的API调用就不需要OAuth 2.0签名。它只有一个安全令牌。
OAuth 1.0要求客户端为每个API调用发送两个安全令牌,并使用它们来生成签名。它要求受保护的资源端点能够访问客户端凭据,以便验证请求。
下面介绍OAuth 1.0和2.0之间的区别以及两者的工作方式。
注意使用Oauth 2存在严重的安全问题:
一篇令人沮丧的文章
一个更专业的问题
注意这些都来自Oauth 2的主要作者。
重点:
Oauth 2 offers no security on top of SSL while Oauth 1 is transport-independent. in a sense SSL isn't secure in that the server does not verify the connection and the common client libraries make it easy to ignore failures. The problem with SSL/TLS, is that when you fail to verify the certificate on the client side, the connection still works. Any time ignoring an error leads to success, developers are going to do just that. The server has no way of enforcing certificate verification, and even if it could, an attacker will surely not. you can fat-finger away all of your security, which is much harder to do in OAuth 1.0: The second common potential problem are typos. Would you consider it a proper design when omitting one character (the ‘s’ in ‘https’) voids the entire security of the token? Or perhaps sending the request (over a valid and verified SSL/TLS connection) to the wrong destination (say ‘http://gacebook.com’?). Remember, being able to use OAuth bearer tokens from the command line was clearly a use case bearer tokens advocates promoted.
Eran Hammer-Lahav在他的文章《介绍OAuth 2.0》中出色地解释了其中的大部分差异。总结一下,这是关键的区别:
More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, in OAuth 1.0, desktop applications or mobile phone applications had to direct the user to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the application. The main criticism here is against the user experience. With OAuth 2.0, there are now new ways for an application to get authorization for a user.
OAuth 2.0不再要求客户端应用程序具有密码学。这让人想起了旧的Twitter Auth API,它不需要应用程序HMAC哈希令牌和请求字符串。使用OAuth 2.0,应用程序可以仅使用通过HTTPS发出的令牌发出请求。
OAuth 2.0签名要简单得多。没有更多特殊的解析、排序或编码。
OAuth 2.0访问令牌是“短命的”。通常,OAuth 1.0访问令牌可以存储一年或更长时间(Twitter从不让它们过期)。OAuth 2.0有刷新令牌的概念。虽然我不完全确定这些是什么,我的猜测是你的访问令牌可以是短期的(即基于会话),而你的刷新令牌可以是“生命时间”。您将使用刷新令牌来获取新的访问令牌,而不是让用户重新授权您的应用程序。
最后,OAuth 2.0意味着在负责处理OAuth请求的服务器和处理用户授权的服务器之间有一个清晰的角色分离。在前面提到的文章中有详细的信息。
我在这里看到了很好的答案,但我错过了一些图表,因为我必须使用Spring Framework,所以我看到了它们的解释。
我发现下面的图表很有用。它们说明了使用OAuth2和OAuth1的各方之间通信的差异。
OAuth 2
OAuth 1
在我看来,之前的解释都过于详细和复杂。简单地说,OAuth 2将安全性委托给HTTPS协议。OAuth 1不需要这样做,因此有替代方法来处理各种攻击。这些方法要求应用程序参与某些复杂且难以实现的安全协议。因此,仅仅依靠HTTPS来获得安全性会更简单,因此应用程序开发人员不需要担心它。
As to your other questions, the answer depends. Some services dont want to require the use of HTTPS, were developed before OAuth 2, or have some other requirement which may prevent them from using OAuth 2. Furthermore, there has been a lot of debate about the OAuth 2 protocol itself. As you can see, Facebook, Google, and a few others each have slightly varying versions of the protocols implemented. So some people stick with OAuth 1 because it is more uniform across the different platforms. Recently, the OAuth 2 protocol has been finalized but we have yet to see how its adoption will take.