OAuth 2.0 is currently the most popular authorization mechanism, used to authorize third-party applications and obtain user data
This standard is relatively abstract and uses a lot of terms, which is not easy for beginners to understand. In fact, it is not complicated to say, I will use a simple analogy to help you easily understand what OAuth 2.0 is.
1. The courier problem
I live in a large residential area.
The community has an access control system.
A password is required when entering.
I often shop online and take out, and a courier comes to deliver the goods every day. I must find a way to let the courier enter the community through the access control system.
If I tell the courier my password, he will have the same permissions as me, which seems inappropriate. In case I want to cancel his right to enter the community, it is also very troublesome. I have to change my own password and notify other couriers.
Is there a way for the courier to enter the community freely without knowing the password of the residents of the community, and his only authority is to deliver goods, and he has no authority in other situations where a password is required?
2. Design of authorization mechanism
So, I designed a set of authorization mechanism.
The first step is to add a button under the password input device of the access control system called "Get Authorization". The courier needs to first press this button to apply for authorization.
In the second step, after he presses the button, the phone of the homeowner (that is, me) will pop up a dialog box: Someone is asking for authorization. The system will also display the courier’s name, job number, and courier company.
I confirm that the request is true, click the button and tell the access control system that I agree to give him authorization to enter the community.
In the third step, after the access control system gets my confirmation, it will show the courier an access token to enter the community. A token is a string of numbers similar to a password, which is only valid for a short period of time (such as seven days).
In the fourth step, the courier enters the token into the access control system and enters the community.
Someone may ask, why not open the door for the courier remotely, but generate a token for him alone? This is because the courier may come to deliver the goods every day, and he can reuse the token the next day. In addition, some communities have multiple access controls, and couriers can use the same token to pass them.
Third, the Internet scene
We moved the above example to the Internet, which is the design of OAuth.
First of all, residential areas are network services that store user data. For example, WeChat stores the information of my friends. To obtain this information, we must go through WeChat's "access control system".
Secondly, the courier (or courier company) is a third-party application that wants to pass through the access control system and enter the community.
Finally, I am the user and I agree to authorize third-party applications to enter the community and obtain my data.
Simply put, OAuth is an authorization mechanism. The owner of the data tells the system that they agree to authorize third-party applications to enter the system and obtain these data. The system thus generates a short-term entry token (token), which is used in place of the password for use by third-party applications
Four, token and password
The role of token and password is the same, both can enter the system, but there are three differences.
(1) The token is short-term, it will automatically become invalid when it expires, and the user cannot modify it. The password is generally valid for a long time, and the user will not change it if it is not modified.
(2) The token can be revoked by the data owner and will become invalid immediately. In the above example, the homeowner can cancel the courier's token at any time. Passwords are generally not allowed to be revoked by others.
(3) The token has a scope (scope), for example, it can only enter the second gate of the community. For network services, read-only tokens are more secure than read-write tokens. The password is generally full authority.
The above designs ensure that the token can not only allow third-party applications to obtain permissions, but also be controllable at any time without endangering the security of the system. This is the advantage of OAuth 2.0
Note that as long as you know the token, you can enter the system. The system generally does not reconfirm the identity, so the token must be kept secret. The consequences of leaking the token and leaking the password are the same. This is why the validity period of the token is generally set very short
OAuth 2.0 provides very detailed rules on how to issue tokens.
Specifically, there are four types of authorization (authorization grant), that is, four ways of issuing tokens, which are suitable for different Internet scenarios.