OAuth/en
目录 |
Summarize
To use the APIs of Sina Weibo open platform, you have to register a application first. We will provide a unique App Key and App Secret for every application. The Key and Secret has a same usage of other public key/private key in other protocol. You can use the programming language you like to sign every API call with the Key and Secret, to authenticate the access for Sina Weibo open platform.
Web application should fully use OAuth for user authentication. Desktop and mobile application should use OAuth as well, but Basic Auth, a simple method that directly use the user name and password is also accepted for desktop application. Details can be found at authorization mechanism statement
Currently, OAuth 1.0a is used for Sina Weibo open platform.
OAuth Basic Workflow
OAuth request loop can be separated by 4 steps:
OAuth provides two authentication method: query-string and http headers. We sugguest Http header method.
Request the signature
All the OAuth request use the same algorithm to generate the signature base string and signature. Base string is a URL encode of a string that join http method name, URL and request parameter with &. Then, sort all the request parameter including parameter in POST method by the letter, replace = with %3D, join all the strings with %26 as a separating character. This algorithm can be simply descripted as :
httpMethod + "&" +
url_encode( base_uri ) + "&" +
sorted_query_params.each { | k, v |
url_encode ( k ) + "%3D" +
url_encode ( v )
}.join("%26")
No matter which type of OAuth 1.0 requested, the generating method of BASE STRING is not changed. Sina Weibo requires that OAuth request is signed in HMAC-SHA1<b>.
Retrieve the requesttoken
Retrieving request token is the first step of user authentication. There are two purposes in this step: 1. Tell Sina Weibo what you want to do. 2. Tell Sina Weibo what you are going to do in callback The URL for acquiring request token of Sina Weibo open platform is http://api.t.sina.com.cn/oauth/request_token Here is an example. We are going to acquire the request token with these parameters:
consumer secret - "MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98" oauth_callback - http://localhost:3005/the_dance/process_callback?service_provider_id=11 oauth_consumer_key - GDdmIQH6jhtmLUypg82g oauth_nonce - QP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk oauth_signature_method - HMAC-SHA1 oauth_timestamp - 1272323042 oauth_version - 1.0
First step, generate the BASE STRING with algorithm mentioned. Pay attention that there is a request parameter in the URL of callback. As the parameter is a part of CALLBACK URL, it’s not necessary to use it as a individual parameter. URL should be considered as a string. Generated BASE STRING is
POST&https%3A%2F%2Fapi.t.sina.com.cn%2Foauth%2Frequest_token&oauth_callback%3Dhttp%253A%252F%252Flocalhost%253A3005%252Fthe_dance%252Fprocess_callback%253Fservice_provider_id%253D11%26oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce%3DQP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1272323042%26oauth_version%3D1.0
Our BASE STRING doesn’t include oauth_token and oauth_token_secret, because we haven’t get them yet. Next, use signing key (App Secret with a & suffix) generate oauth_signature from base string:
8wUi7m5HFQy76nowoCThusfgB+Q=
Call http://api.t.sina.com.cn/oauth/request_token with http header:
OAuth oauth_nonce="QP70eNmVz8jvdPevU3oJD2AfF7R7odC2XJcn4XlZJqk", oauth_callback="http%3A%2F%2Flocalhost%3A3005%2Fthe_dance%2Fprocess_callback%3Fservice_provider_id%3D11", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272323042", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_signature="8wUi7m5HFQy76nowoCThusfgB%2BQ%3D", oauth_version="1.0"
When server side receive this request, it will return oauth_token, oauth_token_secret and other information. If oauth_callback_confirmed is set to true, it means callback is available now. The return value from server is :
oauth_token=8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc&oauth_token_secret=x6qpRnlEmW9JbQn4PQVVeVG8ZLPEx6A0TOebgwcuA&oauth_callback_confirmed=true
Now, oauth_token and oauth_token_secret should be recorded as we need them to get access token.
User Authentication
In this step, you will get the authentication by the oauth_token you got in last step. In general, WEB application just redirected the to the page, and desktop application requests user authenticates with the URL The authenticated URL for Sina Weibo open platform is http://api.t.sina.com.cn/oauth/authorize . You should call this API with oauth_token: http://api.t.sina.com.cn/oauth/authorize?oauth_token=8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc User should login to Sina Weibo, otherwise, a webpage contained authentication information will be displayed. And user need to confirm the authorization of the application in the page. After that, web application is redirected to the oauth_call you specified, while desktop application will get a PIN code that need to be inputed in your application. If callback is used, oauth_callback now get the information including oauth_token and oauth_verifier. Eg:
oauth_token=8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc&oauth_verifier=pDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY
Retrieve access token
URL for retrieving access token of Sina Weibo open platform is : http://api.t.sina.com.cn/oauth/access_token Here is Request Parameters:
oauth_consumer_key - GDdmIQH6jhtmLUypg82g
oauth_nonce - 9zWH6qe0qG7Lc1telCn7FhUbLyVdjEaL3MO5uHxn8
oauth_signature_method - HMAC-SHA1
oauth_token - 8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc
oauth_timestamp - 1272323047
oauth_verifier - pDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY
oauth_version - 1.0
oauth_token_secret - x6qpRnlEmW9JbQn4PQVVeVG8ZLPEx6A0TOebgwcuA
Firste, prepare base string (with the method mentioned before)
POST&https%3A%2F%2Fapi.t.sina.com.cn%2Foauth%2Faccess_token&oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce%3D9zWH6qe0qG7Lc1telCn7FhUbLyVdjEaL3MO5uHxn8%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1272323047%26oauth_token%3D8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc%26oauth_verifier%3DpDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY%26oauth_version%3D1.0
Join the consumer_secret and oauth_token_secret with & :
MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&x6qpRnlEmW9JbQn4PQVVeVG8ZLPEx6A0TOebgwcuA
Generated OAuth signature is:
PUw/dHA4fnlJYM6RhXk5IU/0fCc=
Then call the specified url with request token, the request header is:
OAuth oauth_nonce="9zWH6qe0qG7Lc1telCn7FhUbLyVdjEaL3MO5uHxn8", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272323047", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_token="8ldIZyxQeVrFZXFOZH5tAwj6vzJYuLQpl0WUEYtWc", oauth_verifier="pDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY", oauth_signature="PUw%2FdHA4fnlJYM6RhXk5IU%2F0fCc%3D", oauth_version="1.0"
Sina Weibo open platform return the necessary information including user name, oauth_token/oauth_token_secret (this is access token here). Response content is :
oauth_token=819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw&oauth_token_secret=J6zix3FfA9LofH0awS24M3HcBYXO5nI1iYe8EfBA&user_id=819797&screen_name=openapi
You can use access token to update status now.
Retrieve user profile
Next, we authenticate user ( If this successes, user profileis returned from server). Here is the parameters for user authentication:
oauth_consumer_key - GDdmIQH6jhtmLUypg82gる oauth_nonce - oElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y oauth_signature_method - HMAC-SHA1 oauth_token - 819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw oauth_timestamp - 1272325550 oauth_version - 1.0
Generate header by the BASE STRING alogrithm:
POST&https%3A%2F%2Fapi.t.sina.com.cn%2Faccount%2Fverify_credentials&oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce%3D9zWH6qe0qG7Lc1telCn7FhUbLyVdjEaL3MO5uHxn8%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1272325550%26oauth_token%3D819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw%26oauth_verifier%3DpDNg57prOHapMbhv25RNf75lVRd6JDsni1AJJIDYoTY%26oauth_version%3D1.0
Generate signature from the string that joined oauth_comsumer_secret and oauth_token_secret with &. key is:
MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&J6zix3FfA9LofH0awS24M3HcBYXO5nI1iYe8EfBA
We can call http method now. Generated http header is:
ICuKVLKetCO4axEppJBqOofFg/A=
Generated signature is:
OAuth oauth_nonce="oElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272325550", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_token="819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw", oauth_signature="ICuKVLKetCO4axEppJBqOofFg%2FA%3D", oauth_version="1.0"
Response:
{
weibo=null,
id=1803876591,
name='loopa',
screenName='loopa',
location='北京 海淀区',
description='2fBAcRG0]8OGRvp',
profileImageUrl='http://tp4.sinaimg.cn/1803876591/50/0',
url='',
isProtected=false,
followersCount=23,
statusCreatedAt=Mon Sep 27 13:50:14 CST 2010,
statusId=2847344825,
statusText='uhYFQJ[',
statusSource='<a href="" rel="nofollow">微博开放平台接口</a>',
statusTruncated=false,
statusInReplyToStatusId=0,
statusInReplyToUserId=0,
statusFavorited=false,
statusInReplyToScreenName='',
profileBackgroundColor='',
profileTextColor='',
profileLinkColor='',
profileSidebarFillColor='',
profileSidebarBorderColor='',
friendsCount=1,
createdAt=Fri Aug 27 00:00:00 CST 2010,
favouritesCount=0,
utcOffset=-1,
timeZone='',
profileBackgroundImageUrl='',
profileBackgroundTile='',
following=false,
notificationEnabled=false,
statusesCount=8509,
geoEnabled=false,
verified=false
}
Trips
Here is some trips
- Use OAuth with HTTP header
- Encrypted all the authenticating data in all steps by SSL
- Use api.t.sina.com.cn, not t.sina.com.cn
- Always explicitly use oauth_callback. Application uses default callback URL. But we suggest using callback explicitly in every call. By the dynamical callback, you can retrieve some useful information. If PIN code is used, callback should be “oob”.
Post weibo through OAuth
Now we can post weibo on oauth_token and oauth_token_secret through Statuses/update API. Here is the relative parameters:
- POST body - status=message
- oauth_consumer_key - GDdmIQH6jhtmLUypg82g
- oauth_nonce - oElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y
- oauth_signature_method - HMAC-SHA1
- oauth_token - 819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw
- oauth_timestamp - 1272325550
- oauth_version - 1.0
Generated BASE STRING:
POST&http%3A%2F%2Fapi.t.sina.com.cn%2Fstatuses%2Fupdate.json&oauth_consumer_key%3DGDdmIQH6jhtmLUypg82g%26oauth_nonce%3DoElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1272325550%26oauth_token%3D819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw%26oauth_version%3D1.0%26status%3D%25E9%2580%259A%25E8%25BF%2587OAuth%25E5%258F%2591%25E9%2580%2581%25E5%25BE%25AE%25E5%258D%259A%25E4%25BF%25A1%25E6%2581%25AF
Generate signature from the string that joined oauth_comsumer_secret and oauth_token_secret with &. key is:
MCD8BKwGdgPHvAuvgvz4EQpqDAtx89grbuNMRd7Eh98&J6zix3FfA9LofH0awS24M3HcBYXO5nI1iYe8EfBA
Generated signature:
yOahq5m0YjDDjfjxHaXEsW9D+X0=
Send HTTP request with HTTP header:
OAuth oauth_nonce="oElnnMTQIZvqvlfXM56aBLAf5noGD0AQR3Fmi7Q6Y", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1272325550", oauth_consumer_key="GDdmIQH6jhtmLUypg82g", oauth_token="819797-Jxq8aYUDRmykzVKrgoLhXSq67TEa5ruc4GJC2rWimw", oauth_signature="yOahq5m0YjDDjfjxHaXEsW9D%2BX0%3D", oauth_version="1.0"
Server response:
{
"created_at": "Mon Oct 11 12:00:16 +0800 2010",
"favorited": false,
"geo": null,
"id": 3034670049,
"in_reply_to_screen_name": "",
"in_reply_to_status_id": "",
"in_reply_to_user_id": "",
"source": "<a href=\"http://open.t.sina.com.cn\" rel=\"nofollow\">\u5fae\u535a\u5f00\u653e\u5e73\u53f0\u63a5\u53e3</a>",
"text": "\u901a\u8fc7OAuth\u53d1\u9001\u5fae\u535a\u4fe1\u606f",
"truncated": false,
"user": {
"allow_all_act_msg": false,
"city": "8",
"created_at": "Fri Aug 28 00:00:00 +0800 2009",
"description": "Blogger\uff0c\u82f9\u679c\u8ff7\uff0cGoogle\u7c89\u3002",
"domain": "westy",
"favourites_count": 1,
"followers_count": 83,
"following": false,
"friends_count": 56,
"gender": "m",
"geo_enabled": true,
"id": 1642466141,
"location": "\u5317\u4eac \u6d77\u6dc0\u533a",
"name": "huchao",
"profile_image_url": "http://tp2.sinaimg.cn/1642466141/50/1285424071",
"province": "11",
"screen_name": "huchao",
"statuses_count": 209,
"url": "http://tuoniao.org",
"verified": false
}
}
OAuth libraries and resources
- ActionScript/Flash
- oauth-as3 http://code.google.com/p/oauth-as3/
- A flex oauth client http://www.arcgis.com/home/item.html?id=ff6ffa302ad04a7194999f2ad08250d7
- C/C++
- QTweetLib http://github.com/minimoog/QTweetLib
- libOAuth http://liboauth.sourceforge.net/
- clojure
- clj-oauth http://github.com/mattrepl/clj-oauth
- .net
- oauth-dot-net http://code.google.com/p/oauth-dot-net/
- DotNetOpenAuth http://www.dotnetopenauth.net/
- Erlang
- erlang-oauth http://github.com/tim/erlang-oauth
- java
- Scrible http://github.com/fernandezpablo85/scribe-java
- oauth-signpost http://code.google.com/p/oauth-signpost/
- javascript
- oauth in js http://oauth.googlecode.com/svn/code/javascript/
- Objective-C/Cocoa & iPhone programming
- OAuthCore http://bitbucket.org/atebits/oauthcore
- MPOAuthConnection http://code.google.com/p/mpoauthconnection/
- Objective-C OAuth http://oauth.googlecode.com/svn/code/obj-c/
- Perl
- Net::OAuth http://oauth.googlecode.com/svn/code/perl/
- PHP
- tmhOAuth http://github.com/themattharris/tmhOAuth
- oauth-php http://code.google.com/p/oauth-php/
- Python
- python-oauth2 http://github.com/brosner/python-oauth2
- Qt
- Ruby
- Oauth ruby gem http://oauth.rubyforge.org/
- Scala
- DataBinder Dispatch http://dispatch.databinder.net/About
