From password to token, an authorization story

Others 2021-03-31 15:49:44 views: null

1. I dedicate my password to you

 

Xiaoliang has developed a "credit card butler" program, which can automatically read credit card-related emails from the mailbox, analyze and summarize them, and form a report. 

 

Xiao Liang found the credit card expert Zhang Dafang to try it out: "You have so many credit cards. Check out my program. You can surely love it."

 

Zhang Dapang tried a few times and said, "Hey, your program needs to read my NetEase mailbox, so you need a username/password."

 

"Yes, you just need to tell the password to the input program. My program will be encrypted and stored for you to ensure that it will not be leaked."

 

"Come on you, I won't tell you my password. For the convenience of remembering, my passwords are all universal. If they are leaked, it will be over."

 

Xiao Liang said: "Let's do it, I don't save it, I will use it once when accessing the mailbox, and throw it away when I use it!"

 

"You think you are Alibaba. You have a credit endorsement. You are just a small website. I dedicate my password to you and always feel unsafe. I trust you. Can others trust you?"

 

Xiao Liang thinks about it, too, this is a huge psychological barrier, everyone has to defend their password to the death.

 

2. Token

 

After a week, Xiao Liang happily took Zhang Dapang to see the upgraded version of "Credit Card Butler".

 

"It's upgraded to 2.0. You don't need to ask for the username and password of NetEase mailbox this time."

 

"Then how do you access my mailbox?"

 

"It's very simple. I have provided a new entrance, log in with a NetEase account. After you click it, you will actually be redirected to NetEase's authentication system to log in. NetEase's authentication system will ask you to enter your username and password, and ask you Whether to allow the credit card manager to access the NetEase mailbox, after you confirm it, you will be redirected to my'credit card manager' website again and bring a'token' to me. I can use this token to access the NetEase mailbox through the API. During the process, I will never have access to your username and password, how about it, are you satisfied now?"

 

"You can say it lightly. You, the credit card steward, are a small website and don't have any reputation. How can NetEase trust your website?"

 

"Of course I have to register with NetEase first. They will send me app_id and app_secret. When I redirect to NetEase, I need to send this thing, so that NetEase knows that the application "Credit Card Manager" is applying for authorization. ."

 

 

(Click to enlarge)

 

Zhang Dafang said: "You redirected to redirect it, isn't it actually just to get a token?"

 

"Yeah, because you don’t trust my credit card butler and don’t let it save your password, you have to use the token method. It is issued by the NetEase Certification Center, which actually represents your authorization for the credit card butler to access the mailbox. So with this token, you can access your mailbox"

 

"That's right" Zhang Dafang asked, "Why do you use Javascript to read the token?"

 

"In this way, my back-end server does not need to participate, and the work is done in the front-end. Have you noticed the # in that URL? www.a.com/callback#token=<Token returned by NetEase>"

 

Zhang Dafang said: "I know, this thing is called a hash fragment, it will only stay on the browser side, only Javascript can access it, and it will not be sent to other servers through http request again. I think this is to improve Be safe."

 

Xiao Liang said: "Yes, that token is very, very important. It must be stored properly and cannot be leaked!"

 

"But through redirection in step 6, this token was sent to my browser in plain text. Although it is https, it will not be stolen by others, but it can be found in the browser history or access log. Exposed?"

 

Xiao Liang said: "This..., I said you guys have a strong sense of security. Let me think about whether there is a safer way."

 

3. Authorization  Code + Token

 

Another week later, Xiao Liang successfully upgraded the credit card butler to 3.0.

 

He said to Zhang Dafang: "This time I successfully concealed the very important and authorized token. Would you like to take a look?"

 

"You talk about how you hide first?"

 

"In fact, the overall idea is similar to the previous one, except that I introduced an intermediate layer called Authorization Code. When you log in with a NetEase account, the NetEase Authentication Center will not send me a token directly this time, but an authorization code (authorization code). code), after my credit card butler server got this code, I visited the NetEase authentication center again in the background, and this time he sent me the real token. Let’s go directly to the picture:"

 

(Click to enlarge)

 

Zhang Dapang said: "It's easier to understand. In essence, you take the returned authorization code to'secretly' complete the process of applying for the token in the server background, so the token browser is not accessible at all, right?"

 

"What is secretly applying for a token? This is a normal communication between my credit card butler server and NetEase, but you can't see it."

 

"Just kidding, although you hide the token, the authorization code is indeed exposed. Look at step 7. I can see it in the browser in plain text. If it is obtained by someone, it is not the same. token?"

 

Xiao Liang said: "We must have defensive measures. For example, this authorization code is associated with the app_id and app_secret applied by my credit card steward. Only the token request issued by the credit card steward will be considered legal by the NetEase Certification Center; and the authorization code can also be time-limited. For example, it expires in 5 minutes, and the authorization code can only be exchanged for one token, but not for the second time."

 

"It sounds good, well, I can use it with confidence this time!"

 

4. Postscript

 

This article is actually talking about the three authentication methods in OAuth, in order:

1. Resource Owner Password Credentials Grant (Resource Owner Password Credentials Grant)

2. Implicit Grant

3. Authorization Code Grant

 

There is another type called Client credentials, which is used less and is not covered in the article.

 

These names are a little weird, but they are not that complicated in nature. In OAuth, there are several terms that everyone can understand:

Resource owner: This is our Zhang Dafang above

Resource server: NetEase mailbox

Client: This is the credit card butler above

Authorization Server: NetEase Certification Center mentioned above

Guess you like

Origin blog.csdn.net/qq_43422918/article/details/115327825
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com