ren*_*teg 5 iphone objective-c nsurlconnection oauth-2.0
我正在努力获取Quizlet上的访问令牌(oauth2).到目前为止一切正常,我可以让用户在Quizlet上接受我的应用程序,重定向,但是当通过NSURLConnection请求访问令牌时,我总是会收到以下错误:
2013-08-17 09:39:33.422 Abiliator [49549:c07]以字符串格式返回数据:{"http_code":400,"error":"invalid_request","error_title":"Not Allowed","error_description": "无效的grant_type参数或参数缺失"}
这里是用户身份验证的代码(必须根据规范通过浏览器):
- (void) authenticateQuizletUser
{
NSString *quizletRandomString = [abiliatorAppDelegate GetUUID];
NSString *authURLString = [@"https://quizlet.com/authorize/?response_type=code&client_id=" stringByAppendingString:@"<myID>&scope=read"];
authURLString = [authURLString stringByAppendingString:@"&state="];
authURLString = [authURLString stringByAppendingString:quizletRandomString];
authURLString = [authURLString stringByAppendingString:@"&redirect_uri=Abiliator://after_oauth"];
NSLog(@"Authentication URL sent: %@", authURLString);
[[UIApplication sharedApplication] openURL:[NSURL URLWithString: authURLString]];
}
正如我所提到的,这很好.该应用程序启动Safari,用户必须确认请求输入用户ID和密码,服务器重定向到我的应用程序,我在下面的方法中捕获,然后抛出所描述的错误.
- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url {
if (!url) { return NO; }
NSString *URLString = [url absoluteString];
NSLog(@"Received URL: %@", URLString);
NSString *myURLQuery = [url query];
NSString *myAuthCode = [self getAuthorizationCodeFromURL:myURLQuery];
NSLog(@"Component1: %@", myAuthCode);
NSString *authPasswd = @"myPasswd";
NSString *username=@"myUserName";
NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://api.quizlet.com/oauth/token"]];
request.HTTPMethod = @"POST";
[request setValue:@"application/x-www-form-urlencoded; charset=UTF-8" forHTTPHeaderField:@"Content-Type"];
[request setValue:@"Abiliator://after_oauth" forHTTPHeaderField:@"redirect_uri"];
// According to Quizlet API doc: You must set this (grant_type) to the string "authorization_code".
[request setValue:@"authorization_code" forHTTPHeaderField:@"grant_type"];
[request setValue:myAuthCode forHTTPHeaderField:@"code"];
NSString *authStr = [NSString stringWithFormat:@"%@:%@", username, authPasswd];
NSData *authData = [authStr dataUsingEncoding:NSASCIIStringEncoding];
NSString *authValue = [NSString stringWithFormat:@"Basic %@", [authData base64EncodedString]];
[request setValue:authValue forHTTPHeaderField:@"Authorization"];
NSURLConnection *conn = [[NSURLConnection alloc] initWithRequest:request delegate:self];
return YES; }
任何帮助高兴地赞赏.
OAuth2定义了 4 种获取访问令牌的方法。最安全和最复杂的是Quizlet 使用的授权代码授予,如下所述。
授权码授予包括两个步骤:
你第一个电话就打对了。第二次调用的问题是您将grant_type参数放在请求的错误位置。在这一行中,您将其视为 HTTP 标头:
[request setValue:@"authorization_code" forHTTPHeaderField:@"grant_type"];
在这里,您还将授权代码视为 HTTP 标头:
[request setValue:myAuthCode forHTTPHeaderField:@"code"];
但 OAuth2 要求您将两者都放入请求正文中。以下是正确请求的示例:
POST /oauth/token/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Content-Length: 999
Authorization: Basic xxx
grant_type=authorization_code&code=theCodeYouGotInTheFirstStep&
scope=somescope&redirect_uri=theSameUriYouIncludedEarlier
(空行下面的内容是您的请求的正文)
(我在正文中添加换行符只是为了便于阅读 - 您不能将其包含在请求中)
额外答案:请记住,OAuth2 默认情况下是不安全的:如果您不做一些额外的工作,您的应用程序很容易受到跨站点请求伪造攻击,甚至在 OAuth2 RFC 中也提到过。为了防止这种情况,OAuth2 为您提供了state参数。您必须为您生成一个不可猜测的值state并将其包含在第一个请求中。state如果服务器返回的请求与您之前生成的不同,则不得触发第二个请求。