The previous articles explained the user name or SMS login authentication method. This section starts to learn the login method of third-party authorization authentication. Before learning authorized login, you have to learn the relevant knowledge of the OAuth2.0 protocol. Let’s take a look. !
What is OAuth2.0?
Encyclopedia interpretation
- OAuth (Open Authorization) is one
开放标准that allows users to allow third-party applications to access the user's private resources (such as photos, videos, contact lists) stored on a certain website无需将用户名和密码提供给第三方应用. OAuth2.0 is a continuation version of the OAuth protocol, but it is not forward compatible with OAuth 1.0, that is, OAuth1.0 is completely abolished.
Application scenarios
- Third-party application authorized login : When APP or webpage accesses some third-party applications, there are many
授权登录buttons, such as QQ, Weibo, and WeChat authorized login. - Native app authorization : App login request background interface. For security authentication, all requests are carried
Token信息, and then login verification and request background data are performed. - Front-end and back-end separation single-page application : front-end and back-end separation framework, front-end requests back-end data
进行OAuth2.0安全认证, such as applications developed using vue, react, or H5, such as small programs.
Various roles and responsibilities in the OAuth protocol
- Provider :
提供授权许可、访问令牌etc. - Resource Owner : User name, nickname, avatar
信息的所有者, that is, the user, can agree or refuse authorization. - Third-party application (Client) : If
比如说博客it wants to turn WeChat users into its own users, it needs WeChat authorization to blog. - Authentication server (Authorization Server) : belongs to the service provider, the main responsibility is
认证用户身份,并且产生令牌. - Resource Server (Resource Server) : Resource server, one function is
保存用户资源, for example, the user information above, and the other is验证令牌effectiveness.
OAuth protocol flow
- Flow chart explanation
- Process description :
首先用户访问第三方应用,应用会请求用户是否授权,用户同意授权之后,第三方应用就会去访问服务提供商的认证服务器,并且告诉它用户同意我访问你的资源数据,请给我一个令牌,认证服务器会验证第三方应用说的是不是实话,用户是不是真的同意第三方访问,如果确实同意,认证服务器就会发放令牌给第三方应用,第三方应用拿到令牌之后就可以使用令牌向资源服务器去申请获取资源,资源服务器会验证令牌的有效性,确认无误之后就会把资源开放给第三方应用。In different scenarios, the OAuth protocol defines a total of four authorization modes, as follows.
Four authorization modes of OAuth2.0
Authorization code mode (authorization code)
- Note : The authorization code mode is one of the four modes.
功能最完整,流程最严密All providers that can be seen on the Internet, Weibo, WeChat, QQ, Baidu, etc., use the authorization code mode to complete the OAuth process. - Flow chart explanation
- Process description :
首先用户访问客户端,如果第三方应用需要用户授权,就会将用户导向认证服务器,用户同意授权的动作会在认证服务器完成,如果用户同意授权会将用户重新导回到第三方应用上去,同时携带授权码(注意这里并不是令牌),导回到哪个地址是第三方应用和认证服务器商量好的,第三方应用收到授权码以后会拿着授权码向认证服务器去申请令牌,这一步是在客户端服务器完成的对用户是不可见,然后认证服务器会核对发过来的授权码是不是之前第三步发过去的授权码,确认无误之后就会向客户端发送最终的访问令牌,即Token。This is the main process of the authorization code mode. - Feature 1 : Different from the other three modes
用户同意授权的动作是在认证服务器上完成的,其他模式都是在第三方应用上完成的, after the completion of the third-party application, the third-party application will bring some information to the authentication server and tell the authentication server that the user has authorized me and agree to my access. At this time, the authentication server cannot determine whether the user is really authorized. It is possible that this authorization information was forged by a third-party application; and in the authorization code mode, the action of agreeing to authorize is completed on the authentication server, so he clearly knows that the user has indeed agreed to the authorization. - Feature 2 : After the user agrees to the authorization, it returns to the third party.
并不是最终的令牌,而是一个授权码After receiving the authorization code, the third-party application sends a request to the authentication server to exchange the authorization code for the real token.
Simplified mode (implicit)
- Some third-party websites do not have a dedicated server. In this case, the simplified mode can be used, that is
从认证服务器返回到第三方应用的时候直接带的就是令牌, refresh tokens are not supported. The tokens are easily leaked due to interception and eavesdropping. Therefore, the authorization code mode is higher in security.
Password mode (resource owner password credentials)
- The user provides the user name and password to the client,
使用用户名、密码作为授权方式发给认证服务器请求令牌and the authentication server confirms that it is correct, and then provides an access token to the client. Generally, refresh tokens are not supported.
Client credentials
- The client
进行身份认证,并请求一个访问令牌confirms to the authentication server , and the authentication server provides an access token to the client.