doudou8081 2013-04-25 20:09
浏览 42
已采纳

OAuth / Twitteroauth库和授权标头

I am trying to better understand OAuth by experimenting with the twitteroauth php library.

It is my understanding that the way to authenticate over OAuth is to make use of an 'Authorize' header when using cUrl. However, examining the source for the twitteroauth library, I can see that the header is set as so for post requests:

 curl_setopt($ci, CURLOPT_HTTPHEADER, array('Expect:'));

And the parameters that should be set in the 'Authorize' header are actually being set in the post body instead in the line:

 curl_setopt($ci, CURLOPT_POSTFIELDS, $postfields);

What is the reason for it being done this way? When in the twitter API guidelines is specifies the following implementation for the header:

POST /1/statuses/update.json?include_entities=true HTTP/1.1
Accept: */*
Connection: close
User-Agent: OAuth gem v0.4.4
Content-Type: application/x-www-form-urlencoded
Authorization: 
        OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog", 
              oauth_nonce="kYjzVBB8Y0ZFabxSWbWovY3uYSQ2pTgmZeNu2VS4cg", 
              oauth_signature="tnnArxj06cWHq44gCs1OSKk%2FjLY%3D", 
              oauth_signature_method="HMAC-SHA1", 
              oauth_timestamp="1318622958", 
              oauth_token="370773112-GmHxMAgYyLbNEtIKZeRNFsMKPR9EyMZeS9weJAEb", 
              oauth_version="1.0"
Content-Length: 76
Host: api.twitter.com

status=Hello%20Ladies%20%2b%20Gentlemen%2c%20a%20signed%20OAuth%20request%21
  • 写回答

1条回答 默认 最新

  • doushao6874 2013-04-28 20:51
    关注

    A client may add the HTTP Expect header to tell the server "hey, I expect you to behave in a certain way". For some reason, Twitter's implementation wants you to expect nothing. I ran into this with my own home-grown implementation. I'm not sure why Twitter wants this header.

    You may present your credentials and signature in the POST variables, or in the header. Both will work as long as the correct variables are set (oauth_consumer_key, oauth_nonce, oauth_signature, oauth_signature_method, oauth_timestamp, and oauth_token).

    I find setting the Authorization header to be cleaner because it does not depend upon the request method (GET, POST, PUT, etc). But Twitter handles both cases perfectly fine. If that's how they implemented it in their library, so be it.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 iqoo11 如何下载安装工程模式
  • ¥15 flask项目,怎么使用AJAX传数据库数据到echarts图表的data里,实现异步加载数据。
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题