OAuth是Resource Owner(facebook，谷歌，tweeter, microsoft live等)使用的协议，用于提供所需的信息，或为第三方系统(例如您的站点)提供写入成功的许可。最有可能的是，如果没有OAuth协议，第三方系统应该可以使用凭据，这将是这些系统之间不合适的通信方式。

Simply put OAuth is a way for applications to gain credentials to your information without directly getting your user login information to some website. For example if you write an application on your own website and want it to use data from a user's facebook account, you can use OAuth to get a token via a callback url and then use that token to make calls to the facebook API to get their use data until the token expires. Websites rely on it because it allows programmers to access their data without the user having to directly disclose their information and spread their credentials around online but still provide a level of protection to the data. Will it become the de facto method of authorization? Perhaps, it's been gaining a lot of support recently from Twitter, Facebook, and the likes where other programmers want to build applications around user data.

OAuth发生时，我们注册SO帐户与Facebook/谷歌 按钮。

应用程序(SO)将用户重定向到提供者的授权URL。(显示一个网页，询问用户是否希望授予应用程序读取和更新数据的访问权限)。 用户同意授予应用程序。 服务提供者将用户重定向回应用程序(SO)，将授权代码作为参数传递。 SO用代码交换访问权限。

来源:OAuth1服务提供者

OAuth主要是关于委托授权(选择可以为您进行授权的人)。请注意，身份验证和授权是不同的事情。OAuth是授权(访问控制)，如果还想实现身份验证(ID验证)，可以在OAuth之上使用OpenID协议。

All big companies like Facebook, Google, Github,... use this kind of authentication/authorization nowadays. For example, I just signed in on this website using my Google account, this means Stackoverflow doesn't know my password, it receives the allowance from Google where my password (hashed obviously) is saved. This gives a lot of benefits, one of them is; In the near future you won't have to make several accounts on every website. One website (which you trust most) can be used to login to all other websites. So you'll only have to remember one password.

OAuth是一种开放的授权标准，通常用于互联网用户使用微软、谷歌、Facebook或Twitter账户登录第三方网站而不暴露密码。

OAuth是什么?

OAuth只是一个安全的授权协议，用于处理第三方应用程序的授权，以便在不暴露用户密码的情况下访问用户数据。(例如，在许多网站上登录Facebook, gPlus, Twitter)都在此协议下工作。

各方

当你了解有关各方时，议定书就变得更容易了。基本上，涉及到三个方面:OAuth提供者、OAuth客户端和所有者。

OAuth客户端(想要访问您的凭据的应用程序) OAuth提供者(例如;Facebook, Twitter等) 所有者(拥有Facebook、Twitter等账户的人)

工作原理

我假设了一个场景，一个网站(Stack Overflow)需要添加一个登录与Facebook功能。因此，Facebook是OAuth提供者，Stack Overflow是OAuth客户端。

This step is done by the app's developer. At the very beginning, Facebook (OAuth Provider) has no idea about the Stack Overflow (OAuth Client) because there is no link between them. So the very first step is to register Stack Overflow with Facebook developers site. This is done manually where developers need to give the app's information to Facebook like the app's name, website, logo, redirectUrl (important one). Then Stack Overflow is successfully registered, has got client Id, client secret, etc from Facebook, and is up and running with OAuth.

现在当Stack Overflow的用户点击登录Facebook按钮。Stack Overflow请求Facebook使用ClientId (Facebook使用它来识别客户端)和redirectUrl(成功后Facebook将返回此URL)。因此，用户被重定向到Facebook登录页面。这是最好的部分，用户(所有者)不会把他们的Facebook凭证给Stack Overflow。

After Owner allows Stack Overflow to access the information. Then Facebook redirects back to Stack Overflow, along with authcode using the redirectUrl provided at step 2. Then Stack Overflow contacts Facebook along with the obtained authcode to make sure everything is okay. Only then Facebook will give access token to Stack Overflow. Then access token is used by Stack Overflow to retrieve the owner's information without using a password. This is the whole motive of OAuth, where actual credentials are never exposed to third-party applications.

更多信息:

快速视频

网页链接