OAuth1.0 RFC5849 中文版 (部分翻译)

由于独立域名空间速度不好,所以就发到这里啦.

原文地址:http://mktime.tk/web-service/oauth-rfc5849.html

RFC文档的地址在http://tools.ietf.org/html/rfc5849

从第五页开始有一个Example,我觉得这对于新手来说是最好的例子了,所以我就用我的蹩脚英语把它"翻译"了一下，希望对大家有所帮助。

1.1. Terminology (术语,提前声明，会在下面的example中使用到)
client An HTTP client (per [RFC2616]) capable of making OAuth- authenticated requests (Section 3).
客户端
一个HTTP客户端,用来生成OAuth请求.

server An HTTP server (per [RFC2616]) capable of accepting OAuth- authenticated requests (Section 3).
服务端
一个HTTP服务端,用来获得上一步提到的客户端的OAuth请求. protected resource An access-restricted resource that can be obtained from the server using an OAuth-authenticated request (Section 3).
受保护资源
一个可以访问的受限的资源，可以通过OAuth从服务端获取. resource owner An entity capable of accessing and controlling protected resources by using credentials to authenticate with the server.
资源所有者
可以通过使用凭证信息(用户名密码等)来通过服务器的认证,从而控制受保护资源的所有者. credentials Credentials are a pair of a unique identifier and a matching shared secret. OAuth defines three classes of credentials: client, temporary, and token, used to identify and authenticate the client making the request, the authorization request, and the access grant, respectively.
凭据
凭据是一对单向散列值和一对共享的密钥.OAuth协议定义了三类凭证:
客户端的,临时的,和用来授权的,它们分别用来 识别和授权客户端的的请求,认证请求，和授予权限。

token
A unique identifier issued by the server and used by the client
to associate authenticated requests with the resource owner
whose authorization is requested or has been obtained by the
client. Tokens have a matching shared-secret that is used by
the client to establish its ownership of the token, and its
authority to represent the resource owner.
token(还是原生点比较好)
它是由服务端颁发的一串单向散列值，并被客户端使用,来和正在被请求认证或者已经被请求认证通过的资源所有者 关联被认证的请求。上面提到的单向散列值(token)有一个与它相匹配的共享密钥,客户端用这个共享密钥来确认这个单向散列值(token)的所有权和它代表对资源所有者的权力.(最后一句翻译的有些蹩脚,希望大家可以明白那个意思.)

1.2. Example

Jane (resource owner) has recently uploaded some private vacation photos (protected resources) to her photo sharing site 'photos.example.net' (server). She would like to use the 'printer.example.com' website (client) to print one of these photos. Typically, Jane signs into 'photos.example.net' using her username and password.
简(资源所有者)最近在图片分享网站"http://photos.example.net"(服务端)里面上传了一些她的个人假期旅游照片。她同时想使用图片打印网站"printer.example.com"(客户端)提供的打印服务来打印这些照片。通常来说，简在photos.example.net注册了一个用户，并使用她注册的用户名和密码登录进这个网站。 However, Jane does not wish to share her username and password with the 'printer.example.com' website, which needs to access the photo in order to print it. In order to provide its users with better service, 'printer.example.com' has signed up for a set of 'photos.example.net' client credentials ahead of time: Client Identifier dpf43f3p2l4k3l03 Client Shared-Secret: kd94hf93k423kf44 
然而，简并不希望在printer.example.com上分享她在photos.example.com注册的用户名和密码。printer.example.com为了给它的客户提供更优质的服务，printer.example.com之前已经在photos.example.net注册了一对客户凭证(key 和secret)：
Client Identifier(类似于开发者在新浪微薄开放平台注册的App Key):
dpf43f3p2l4k3l03

Client Shared-Secret(类似于开发者在新浪微薄开放平注册App Key时获得的与之配套的App Secret):
kd94hf93k423kf44

The 'printer.example.com' website has also configured its application to use the protocol endpoints listed in the 'photos.example.net' API documentation, which use the "HMAC-SHA1" signature method:
printer.example.com也已经配置好了它的应用程序,来使用photos.example.net提供的API。并且签名使用的是HMAC-SHA1 方法:
Temporary Credential Request (获取未授权的Request Token)
https://photos.example.net/initiate

Resource Owner Authorization URI(请求用户授权Request Token):
https://photos.example.net/authorize

Token Request URI(使用授权后的Request Token换取Access Token):
https://photos.example.net/token

Before 'printer.example.com' can ask Jane to grant it access to the photos, it must first establish a set of temporary credentials with 'photos.example.net' to identify the delegation request. To do so, the client sends the following HTTPS [RFC2818] request to the server:
在printer.example.com请求简授权printer.example.com来访问这些图片之前,printer.example.com必须和photos.example.net建立一对临时的凭证用来识别这个受委托的请求。为了满足上述条件，客户端(printer.example.com)向服务端(photos.example.net)发送一个HTTPS请求(新浪的是http协议的):

POST /initiate HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131200",
oauth_nonce="wIjqoS",
oauth_callback="http%3A%2F%2Fprinter.example.com%2Fready",
oauth_signature="74KNZJeDHnMBp0EMJ9ZHt%2FXKycU%3D"

如果要发起HTTP请求，可以使用开源的工具CURL。

The server validates the request and replies with a set of temporary credentials in the body of the HTTP response (line breaks are for display purposes only):
服务端验证通过这个请求,并且做出一个HTTP响应，在HTTP响应的body内包含了一对临时的凭证(key和secret):
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded

oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03&
oauth_callback_confirmed=true

The client redirects Jane's user-agent to the server's Resource Owner Authorization endpoint to obtain Jane's approval for accessing her private photos:
客户端(printer.example.com)将简的访问地址重定向至服务端(photos.example.net)的资源所有者认证地址(比如说登录地址)来获得对简的照片进行访问的批准：
https://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola The server requests Jane to sign in using her username and password and if successful, asks her to approve granting 'printer.example.com' access to her private photos. Jane approves the request and her user-agent is redirected to the callback URI provided by the client in the previous request (line breaks are for display purposes only): http://printer.example.com/ready? oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884
服务端(photos.example.net)请求简用她自己注册的账号和密码来登录,如果登录成功，就请求简批准printer.example.com(客户端)对她个人照片访问的授权。简批准了这个请求(即允许printer.example.com对她的照片的访问)，并且浏览器跳转至客户端(printer.example.com)提供的回调地址(在上一个请求的URI末尾就带了这个参数)：
http://printer.example.com/ready?
oauth_token=hh5s93j4hdidpola&oauth_verifier=hfdp7dh39dks9884 The callback request informs the client that Jane completed the authorization process. The client then requests a set of token credentials using its temporary credentials (over a secure Transport Layer Security (TLS) channel):
这个回调地址通知客户端(printer.example.com)简已经完成了授权过程。接着客户端(printer.example.com)用上一步获得的临时凭证请求一对key和secret:
POST /token HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="hh5s93j4hdidpola",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131201",
oauth_nonce="walatlh",
oauth_verifier="hfdp7dh39dks9884",
oauth_signature="gKgrFCywp7rO0OXSjdot%2FIHF7IU%3D" The server validates the request and replies with a set of token credentials in the body of the HTTP response:
服务端验证并通过这个请求，并做出响应，在body中包含一对凭证：
HTTP/1.1 200 OK
Content-Type: application/x-www-form-urlencoded

oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00

With a set of token credentials, the client is now ready to request the private photo:
使用这对凭证，客户端(printer.example.com)就可以对简的私人照片进行访问了:
GET /photos?file=vacation.jpg&size=original HTTP/1.1
Host: photos.example.net
Authorization: OAuth realm="Photos",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="nnch734d00sl2jdk",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="137131202",
oauth_nonce="chapoH",
oauth_signature="MdpQcU8iPSUjWoN%2FUDMsK2sui9I%3D"

The 'photos.example.net' server validates the request and responds with the requested photo. 'printer.example.com' is able to continue accessing Jane's private photos using the same set of token credentials for the duration of Jane's authorization, or until Jane revokes access.
服务端(photos.example.net)验证并通过这个请求并用被请求的图片做出响应。客户端(printer.example.com)现在就可以继续使用这对凭证访问简的照片了，直到简吊销对她私人资源的访问。

翻译完了回过头来再看看,感觉自己翻译的还凑活，起码可以知道what is it ,how does it work.