Question

我正在创建一个应用程序，以便使用OAuth从Fitbit.com获取信息。

protected void btnConnect_Click(object sender, EventArgs e)
    {
        // Create OAuthService object, containing oauth consumer configuration
        OAuthService service = OAuthService.Create(
            new EndPoint(RequestTokenUrl, "POST"),         // requestTokenEndPoint
            new Uri(AuthorizationUrl),                     // authorizationUri
            new EndPoint(AccessTokenUrl, "POST"),          // accessTokenEndPoint
            true,                                          // useAuthorizationHeader
            "http://app.fitbit.com",                       // realm
            "HMAC-SHA1",                                   // signatureMethod
            "1.0",                                         // oauthVersion
            new OAuthConsumer(ConsumerKey, ConsumerSecret) // consumer
            );

        try
        {
            var personRepository = new PersonRepository();

            var person = personRepository.GetPersonById(int.Parse(personSelect.SelectedItem.Value));



            OAuthRequest request = OAuthRequest.Create(
                new EndPoint(ProfileUrl, "GET"),
                service,
                this.Context.Request.Url,
                //this.Context.Session.SessionID);
                person.FitbitAuthAccessToken,
                );

            request.VerificationHandler = AspNetOAuthRequest.HandleVerification;

            OAuthResponse response = request.GetResource();

            // Check if OAuthResponse object has protected resource
            if (!response.HasProtectedResource)
            {
                var token = new OAuthToken(TokenType.Request, person.FitbitAuthAccessToken,
                    person.FitbitAuthSecret, ConsumerKey);
                // If not we are not authorized yet, build authorization URL and redirect to it
                string authorizationUrl = service.BuildAuthorizationUrl(response.Token).AbsoluteUri;
                Response.Redirect(authorizationUrl);
            }


            person.FitbitAuthAccessToken = response.Token.Token;
            person.FitbitAuthSecret = response.Token.Secret;
            person.PersonEncodedId = Doc["result"]["user"]["encodedId"].InnerText;
            personRepository.Update(person);

            // Store the access token in session variable
            Session["access_token"] = response.Token;
        }
        catch (WebException ex)
        {
            Response.Write(ex.Message);
            Response.Close();
        }
        catch (OAuthRequestException ex)
        {
            Response.Write(ex.Message);
            Response.Close();
        }
    }

我在数据库中保存Fitbit Access Token和Secret。
如何只使用Access令牌和机密获取信息，而无需每次都进行授权？

Answer 1

这将假设FitBit api足够强大，不会每次都要求身份验证。我已经看到API实现了OAuth，你有一个身份验证过程，然后从那里你的大多数调用只需要AccessToken或秘密。我会看一下服务的方法签名，看看他们需要什么类型的参数。

Answer 2

如果您查看有关身份验证和访问资源的FitBit API，您将看到您只需要请求您感兴趣的数据，并在oAuth标头中添加访问令牌。以下是它的外观（来自API页面）：

GET /1/user/-/activities/date/2010-04-02.json HTTP/1.1
Host: api.fitbit.com
Authorization: OAuth realm="api.fitbit.com",
oauth_consumer_key="fitbit-example-client-application",
oauth_token="8d3221fb072f31b5ef1b3bcfc5d8a27a",
oauth_signature_method="HMAC-SHA1",
oauth_timestamp="1270248088",
oauth_nonce="515379974",
oauth_signature="Gf5NUq1Pvg3DrtxHJyVaMXq4Foo%3D"
oauth_version="1.0"`

基本签名字符串如下所示：

GET&http%3A%2F%2Fapi.fitbit.com%2F1%2Fuser%2F-%2Factivities%2Fdate%2F2010-04-02.json&oauth_consumer_key%3Dfitbit-example-client-application%26oauth_nonce%3D515379974%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1270248088%26oauth_token%3D8d3221fb072f31b5ef1b3bcfc5d8a27a%26oauth_version%3D1.0

Answer 3

我想我会提供我的VerifyAuthenticationCore，它是我的FitbitClient的一部分，它继承自OAuthClient。我花了一段时间才开始工作，但是当我创建Web请求时，我发现我缺少HttpDeliveryMethods.AuthorizationHeaderRequest。添加此项允许调用停止返回错误请求（400）错误消息。

以下代码基本上使用用户ID和访问令牌来获取用户个人资料信息。所有通话都应该以这种方式工作。您需要做的就是更改网址并提供ID和令牌。

protected override AuthenticationResult VerifyAuthenticationCore(AuthorizedTokenResponse response)
    {
        string username;
        var accessToken = response.AccessToken;
        var userId = response.ExtraData["encoded_user_id"];
        var httpWebRequest = WebWorker.PrepareAuthorizedRequest(new MessageReceivingEndpoint(new Uri("http://api.fitbit.com/1/user/" + userId + "/profile.json"), HttpDeliveryMethods.AuthorizationHeaderRequest | HttpDeliveryMethods.GetRequest), accessToken);
        var dictionary = new Dictionary<string, string>();
        dictionary.Add("accesstoken", accessToken);
        dictionary.Add("link", "http://www.fitbit.com/user/" + userId);

        using (var webResponse = httpWebRequest.GetResponse())
        {
            using (var stream = webResponse.GetResponseStream())
            using (var reader = new StreamReader(stream))
            {
                var profile = JObject.Parse(reader.ReadToEnd())["user"];
                dictionary.AddItemIfNotEmpty("name", profile["displayName"]);
                dictionary.AddItemIfNotEmpty("pictureUrl", profile["avatar"]);
                username = dictionary["name"];
            }
        }

        return new AuthenticationResult(true, ProviderName, userId, username, dictionary);
    }

使用令牌获取信息。 OAuth的

3 个答案: