공부방
OAuth프로토콜 관점에서 본 OAuth 인증과정
본 문서는 OAuth프로토콜 관점에서 본 OAuth 인증과정을 설명하며, OAuth 스팩의 Appendix A - Protocol Example의 내용을 기반으로 작성되었습니다.
각 과정은 아래에 나온 순서도에 기반하여 이루어지기 때문에 그림과 함께 보면 이해하는데 도움이 될 것입니다.
* 이 사진에 나오는 A,B,C.. 단계는 아래의 단계와 관련이 없습니다.
A. 프로토콜 예제
본 예제에서 서비스 프로바이더인 photos.example.net 는 사진 공유 사이트이며, 컨수머인 printer.example.com은 사진 출력 사이트입니다. Jane은 사용자이며 photos.example.com에 저장되어 있는 비공개 사진인 vacation.jpg를 출력하기 위하여 printer.example.com 서비스를 사용할 것입니다.
Jane이 그녀의 아이디와 비밀번호를 입력하여 photos.example.net 에 로그인하면, 그녀는 http://photos.example.net/photo?file=vacation.jpg URL을 통해 그녀의 사진에 접근할 것입니다. 다른 사용자들은 그 사진에 접근할 수 없으며, Jane은 그녀의 아이디와 비밀번호를 printer.example.com에 공유하고 싶지 않습니다.
이 예제에서 파라미터를 전송할 때 사용하는 요청은 URL 쿼리 메소드를 사용합니다. 이는 단순한 예제를 위해 사용되며 한개의 메소드가 다른 용도로 사용되어서는 안됩니다.
A.1. 문서화와 등록
서비스 프로바이더의 문서에서는 컨수머 키와 컨수머 시크릿을 등록하는 방법을 설명하며, 다음과 같은 URL들을 선언해 주어야 합니다.
- Request Token URL:
- https://photos.example.net/request_token, HTTP POST 사용
- User Authorization URL:
- http://photos.example.net/authorize, HTTP GET 사용
- Access Token URL:
- https://photos.example.net/access_token, HTTP POST 사용
- Photo (Protected Resource) URL:
- http://photos.example.net/photo , file파라미터와 size파라미터(선택적)와 함께 전송
서비스 프로바이더는 모든 요청에 대하여 HMAC-SHA1 시그네쳐를 지원하며, 보안(HTTPS)요청일 경우에만 PLAINTEXT을 사용할 수 있음을 말해줍니다.
컨수머인 printer.example.com은 이미 컨수머 키와 컨수머 시크릿을 photos.example.net으로 부터 부여 받았으며, 출력할 사진은 photos.example.net에 저장되어 있음을 명시합니다. 컨수머 등록을 하면 다음과 같은 값들을 부여받습니다:
- Consumer Key:
- dpf43f3p2l4k3l03
- Consumer Secret:
- kd94hf93k423kf44
A.2. 리퀘스트 토큰 얻기
Jane이 printer.example.com에게 photos.example.net에 저장되어 있는 그녀의 휴가사진을 출력할 것임을 알려주면, 출력 웹사이트는 사진에 접근을 시도할 것이며, 그 사진은 비공개이기 때문에 HTTP 401 Unauthorized 메시지를 받습니다. 서비스 프로바이더는 응답과 함께 다음과 같은 헤더를 포함합니다:
WWW-Authenticate: OAuth realm="http://photos.example.net/"
컨수머는 서비스 프로바이더에게 다음과 같은 HTTP POST를 보내야 합니다.
https://photos.example.net/request_token?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_signature_method=PLAINTEXT&oauth_signature=kd94hf93k423kf44%26&oauth_timestamp=1191242090&oauth_nonce=hsu94j3884jdopsl&oauth_version=1.0
서비스 프로바이더는 signature를 검사하고, HTTP 응답의 body에 인증되지 않은 리퀘스트 토큰과 함께 응답합니다.
oauth_token=hh5s93j4hdidpola&oauth_token_secret=hdhd0244k9j7ao03
A.3. 사용자 인증 요청하기
컨수머는 Jane의 비공개 사진으로 접근을 승인을 얻기 위하여 브라우저를 서비스 프로바이더의 Authoirization URL로 리다이렉트 시킵니다.
http://photos.example.net/authorize?oauth_token=hh5s93j4hdidpola&oauth_callback=http%3A%2F%2Fprinter.example.com%2Frequest_token_ready
서비스 프로바이더는 Jane이 그녀의 아이디와 비밀번호를 사용해 로그인 할 것을 요청하고, 성공적으로 로그인을 했으면, printer.example.com이 그녀의 비공개 사진에 접근할 권한을 줄 것인지 묻습니다. Jane이 요청을 승인하면, 서비스 프로바이더는 컨수머의 callback URL로 리다이렉트 시킵니다:
http://printer.example.com/request_token_ready?oauth_token=hh5s93j4hdidpola
A.4. 액세스 토큰 얻기
이제 컨수머는 Jane이 승인한 리퀘스트 토큰을 알고 있으며, 서비스 프로바이더에게 그것을 액세스 토큰으로 교환해 줄 것을 요청합니다:
https://photos.example.net/access_token?oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=hh5s93j4hdidpola&oauth_signature_method=PLAINTEXT&oauth_signature=kd94hf93k423kf44%26hdhd0244k9j7ao03&oauth_timestamp=1191242092&oauth_nonce=dji430splmx33448&oauth_version=1.0
서비스 프로바이더는 시그네쳐를 검사하고 HTTP 응답의 바디에 액세스 토큰을 넘겨줍니다:
oauth_token=nnch734d00sl2jdk&oauth_token_secret=pfkkdhi9sl3r4s00
A.5. 보호된 자원에 접근하기
컨수머는 이제 비공개 사진을 요청할 준비가 되었습니다. 사진 URL이 HTTPS가 아니라면, 반드시 HMAC-SHA1을 사용해야 합니다.
A.5.1. Signature Base String 생성하기
signature를 생성하기 위해, Signature Base String을 생성해야 합니다. 요청은 다음과 같은 파라미터들(oauth_signature를 제외한)을 순서대로 노멀라이즈된 문자열로 연결한 것을 포함해야 합니다.
- oauth_consumer_key:
- dpf43f3p2l4k3l03
- oauth_token:
- nnch734d00sl2jdk
- oauth_signature_method:
- HMAC-SHA1
- oauth_timestamp:
- 1191242096
- oauth_nonce:
- kllo9940pd9333jh
- oauth_version:
- 1.0
- file:
- vacation.jpg
- size:
- original
다음과 같은 것들이 Signatrue Base String을 생성하기 위해 사용됩니다.
- GET
- http://photos.example.net/photos
- file=vacation.jpg&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_nonce=kllo9940pd9333jh&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1191242096&oauth_token=nnch734d00sl2jdk&oauth_version=1.0&size=original
Signature Base String 은 다음과 같습니다:
GET&http%3A%2F%2Fphotos.example.net%2Fphotos&file%3Dvacation.jpg%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0%26size%3Doriginal
A.5.2. Signature 값 암호화 하기
HMAC-SHA1은 Signature Base String을 text로, kd94hf93k423kf44&pfkkdhi9sl3r4s00(컨수머 시크릿&액세스토큰시크릿)를 key로 사용하여 base64-encoding된 문자열로 변환된 값을 만들어 냅니다:
tR3+Ty81lMeYAr/Fid0kMTYa/WM=
A.5.3. 보호된 자원 요청하기
사진을 요청하기 위한 컨수머의 요청내용을 정리해 보면 :
http://photos.example.net/photos?file=vacation.jpg&size=original
Authorization: OAuth realm="http://photos.example.net/",
oauth_consumer_key="dpf43f3p2l4k3l03",
oauth_token="nnch734d00sl2jdk",
oauth_signature_method="HMAC-SHA1",
oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D",
oauth_timestamp="1191242096",
oauth_nonce="kllo9940pd9333jh",
oauth_version="1.0"
쿼리 파라미터를 사용한다면:
http://photos.example.net/photos?file=vacation.jpg&size=original&oauth_consumer_key=dpf43f3p2l4k3l03&oauth_token=nnch734d00sl2jdk&oauth_signature_method=HMAC-SHA1&oauth_signature=tR3%2BTy81lMeYAr%2FFid0kMTYa%2FWM%3D&oauth_timestamp=1191242096&oauth_nonce=kllo9940pd9333jh&oauth_version=1.0
photos.example.net은 signature를 검사하고 나서 요청한 사진을 응답으로 돌려줄 것입니다.
Louis Vuitton and Marc Jacobs first cooperation has already been 15 years of time,Cheap Gucci although not for the world at the beginning of the cooperation,Cheap Gucci Shoes in view of the cooperation between think they won't last long. Louis Vuitton brand because this is traditional,Louis vuitton store and designer at that time and Jacobs is very young and very funny. However the cooperation between them is like a love anecdotes, let the other parties in the 15 years of the time it becomes more and more powerful and strong.cheap gucci shoes Now, the pair, a full of France's taste and respect for the world, and the other one is still active as before.Cheap Gucci Clothing Now New York designer Marc Jacobs be born is in Paris is Musee des Arts Decoratifs an exhibition at the museum of the Louis Vuitton-Marc Jacobs "exhibition protagonist.Cheap Gucci Shoes Seriously, the two men look doesn't seem to be any common ground, one is the expression serious gentleman Vuitton (at least from the entrance of the museum's portrait of the look the way it does),cheap louis vuitton and the other is wearing a short skirt of Scotland rebellious guy. However, the founder of the brand or a real genius,Cheap Gucci Handbag successfully hold the 19 th century people is fond of sport and innovation hobby, making a suitable for early car the trunk and place the luggage into camping use of folding bed.Prada Handbag Jacobs stylist to the same brand compelling creativity, hoping to break all the rules bound,cheap louis vuitton shoes as the brand's first and only ready-to-wear designers,Cheap Gucci backpack he wants to design costumes and deserve to have an amazing vigor. As in 1896, the designer Louis Vuitton Georges,Armani Clothing Wholesale the son of the brand Logo design with the whole box print the shell, no one can predict to the move to the impact of the brand.cheap prada shoes Who will think of stylist Jacobs will this classic Speedy handbag designer Takashi Murakami series let Japan above picture with big round eyes,Cheap Gucci Belt or let Stephen Sprouse above master graffiti colored the graffiti letters? Founder Louis Vuitton and he created the world in this exhibition hall on the first floor,cheap jordan sneakers suitable for simple travel series small handbag on display in different one display the;New Arrive Shoes Another display shows the used to hold various delicate clothing suitcase-tea party dress, morning gown; Dinner dress and PROM gowns; Countless levels of underwear and enormous bustle,Jordan Shoes then the s women a day seven times of change clothes golden age. But Debbie Harry song soon put you attracted to the second floor of the exhibition hall,Nike Shoes there is a huge handled the screen (curator Pamela Golbin make it a slight bo page form), used to highlight the free spirit of Jacobs advocate the effects of Bertolucci-and movie "South Park" mix together,Winter Clothing "Cat on a Hot Tin Roof" next to SpongeBob SpongeBob, SpongeBob SpongeBob next to German director Rainer Fassbinder's gay film genius "Querelle".Mens Shoes The exhibition is more like a celebration not simple works retrospective exhibition in accordance with the time not the sequence of the display,Mens T Shirts but the exhibition are divided into different subjects on. Jacobs to give each a different theme plays a very attractive name,Adidas Men Shoes each subject inside of the exhibits in the past 15 years is the representative work of carefully selected fashion. Shoes with mechanical legs to the show,Men Suits &Ties they have a dance Busby Berkeley that precise master pace. Artist Richard Prince of five nurses the human body model hat spell "L-O-U-I-S V-U-I-T-T-O-N",Mens Long Sleeve at the same time in the background is continuously came 1963 Kingsmen of famous chorus works: "Louie Louie,......" . The museum these trunks called it "chocolate box",Mens Sweater may produce more attractive for the audience. The display of trunk is like a great little French candy,Mens Jeans whether it is full of LV logo printing white ermine equipment packet to the purple pattern of the large truck suitcase, are displayed to the full and explore the LV brand connotation.Mens Jackets Whether jeans, metallic fabrics, or the woven plastic fabrics, handbag to send out the strong temptation, Louis Vuitton is this may never dream of. http://ixcoin.org/forum/index.php?topic=15359.0 http://ixcoin.org/forum/index.php?topic=15358.0 http://ixcoin.org/forum/index.php?topic=15360.0 http://ixcoin.org/forum/index.php?topic=15361.0 http://ixcoin.org/forum/index.php?topic=15362.0 http://ixcoin.org/forum/index.php?topic=15363.0 http://ixcoin.org/forum/index.php?topic=15364.0 http://ixcoin.org/forum/index.php?topic=15365.0 http://ixcoin.org/forum/index.php?topic=15366.0 http://ixcoin.org/forum/index.php?action=profile;area=summary;u=8275 http://secureink.net/forum/index.php?topic=21678.0 http://secureink.net/forum/index.php?topic=21679.0 http://secureink.net/forum/index.php?topic=21680.0 http://secureink.net/forum/index.php?topic=21681.0 http://secureink.net/forum/index.php?topic=21682.0 http://secureink.net/forum/index.php?topic=21684.0 http://secureink.net/forum/index.php?topic=21685.0 http://secureink.net/forum/index.php?topic=21686.0 http://secureink.net/forum/index.php?topic=21687.0 http://secureink.net/forum/index.php?action=profile;area=summary;u=12091 http://enjoykalkan.com/forum/index.php?topic=9145.0 http://enjoykalkan.com/forum/index.php?topic=9146.0 http://enjoykalkan.com/forum/index.php?topic=9147.0 http://enjoykalkan.com/forum/index.php?topic=9148.0 http://enjoykalkan.com/forum/index.php?topic=9149.0 http://enjoykalkan.com/forum/index.php?topic=9150.0 http://enjoykalkan.com/forum/index.php?topic=9151.0 http://enjoykalkan.com/forum/index.php?topic=9152.0 http://enjoykalkan.com/forum/index.php?topic=9153.0 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4797#4797 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4798#4798 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4799#4799 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4800#4800 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4801#4801 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4802#4802 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4803#4803 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4804#4804 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=view&catid=2&id=4805#4805 http://www.cubasi.net/index.php?option=com_fireboard&Itemid=54&func=myprofile&do=show http://www.ipacific.com/forum/index.php?topic=940.0 http://www.ipacific.com/forum/index.php?topic=941.0 http://www.ipacific.com/forum/index.php?topic=942.0 http://www.ipacific.com/forum/index.php?topic=943.0 http://www.ipacific.com/forum/index.php?topic=944.0 http://www.ipacific.com/forum/index.php?topic=946.0 http://www.ipacific.com/forum/index.php?topic=947.0 http://www.ipacific.com/forum/index.php?topic=948.0 http://www.ipacific.com/forum/index.php?topic=949.0 http://www.ipacific.com/forum/index.php?action=profile;area=summary;u=2367 http://raptisoft.com/forum/index.php?topic=3242.0 http://raptisoft.com/forum/index.php?topic=3243.0 http://raptisoft.com/forum/index.php?topic=3244.0 http://raptisoft.com/forum/index.php?topic=3245.0 http://raptisoft.com/forum/index.php?topic=3246.0 http://raptisoft.com/forum/index.php?topic=3247.0 http://raptisoft.com/forum/index.php?topic=3248.0 http://raptisoft.com/forum/index.php?topic=3249.0 http://raptisoft.com/forum/index.php?topic=3250.0 http://raptisoft.com/forum/index.php?action=profile;area=summary;u=7289 http://sober4life.org/forum/index.php?topic=113874.0 http://sober4life.org/forum/index.php?topic=113876.0 http://sober4life.org/forum/index.php?topic=113877.0 http://sober4life.org/forum/index.php?topic=113878.0 http://sober4life.org/forum/index.php?topic=113879.0 http://sober4life.org/forum/index.php?topic=113880.0 http://sober4life.org/forum/index.php?topic=113881.0 http://sober4life.org/forum/index.php?topic=113882.0 http://sober4life.org/forum/index.php?topic=113883.0 http://sober4life.org/forum/index.php?action=profile;u=127684