HUAWEI account service study notes (two): OAuth2.0 protocol detailed

    In the previous article "Huawei account service study notes (1): What is HMS, what is Huawei account service", I have sorted out the usage scenarios and advantages of Huawei account service for you, and then I will take you to learn more Some basic knowledge, access methods, efficiency improvement tools, etc. involved in the Huawei account service. If you have any questions, please feel free to ask in the comment section.

    To understand the HUAWEI ID service, we first need to be familiar with 2 protocols: Oauth2.0 and OpenID Connect protocol, because the login method of HUAWEI ID is based on these two protocols , not only HUAWEI ID, WeChat and other manufacturer accounts also Basically based on these two agreements. This article first introduces Oauth2.0.

  • An interesting question

    Before answering what is OAuth2.0, I will first raise a question:

    We know that users can get the detailed information of their Huawei or WeChat account through account + password, such as user name, email address, mobile phone number, etc. However, for third-party apps, such as the following app, the user uses a Huawei account to log in. Later, this app obtains the user's Huawei ID information, so how does it obtain this information?

8c0f16359de9e38a210a7b885888f188.png

9e8d07b211fce34bbf3467acf712540c.png

    To answer the above question, a concept needs to be introduced: proxy authorization; proxy authorization is a way to allow third-party applications to access user data. There are two ways:

1. Provide the user's account password to third-party applications so that they can log in to the account and access data on your behalf;

2. Authorize third-party applications to access user data through OAuth without providing a password;

    The first method believes that no user will accept it, and no user is willing to expose his username and password to others. The second method uses the OAuth protocol. It does not need to provide the user's password to a third party, and the third party can also obtain the required data, which is why we need OAuth.

2. What exactly is OAuth2.0 ?

    OAuth 2.0 is currently the most popular authorization mechanism used to authorize third-party applications and obtain user data. With OAuth2.0, the previous problem can be solved like this: the user has limited authorization to the third-party application, and the third-party application can go to the corresponding account server to obtain the authorized information through this limited authorization.

c6c71572be4334235739a9ecd79f648c.png

The design idea of OAuth2.0 :

I have seen such a metaphor before. I think it can illustrate the design idea of ​​OAuth2.0 very vividly. Now I will take it and use it for everyone to understand quickly.

Courier and community access control system:

8523128afc71fdec762541eb10a20113.png

5.png   

1. Each community has an access control system. Enter the password to enter the community. Only the owner knows the password

2. Couriers often enter the community to deliver express delivery. There are several ways for couriers to enter the community:

     A. The owner tells the courier the access control code, and the courier enters by entering the code

     B. The owner remotely opens the door for the courier

     C. Open up a new channel for couriers, which is only used to deliver couriers to designated locations:

      ——》Add the "Request Authorization" button in the access control system

      ——》The courier presses the button to request the owner's authorization to enter

      ——》Owner agrees to authorize and return a "limited code" to the courier

      ——》The courier can enter the area where the courier is delivered by entering the code, but cannot enter other places.

The first two methods are not optimal. First, the community password has many permissions, which is very insecure for the courier; second, there may be many doors in the community, and the owner needs to open the door for him remotely every time the courier passes through it. ; The C method is the best, and its design idea is OAuth2.0 for the Internet.

Related terms of OAuth2.0 protocol

Resource Owner: The user who owns the data that the client application wants to access.

Client: The application that wants to access user data

Authorization Server: The authorization server that authorizes the client to access user data through user permission.

Resource Server: A system that stores the data that the client wants to access. In some cases, the resource server and the authorization server are the same server.

Access Token: The access token is the only key that the client can use to access the data authorized by the user on the resource server.

Scope: authorization scope, used to restrict which data the application can access to the user

6.PNG

008e57d0ec4666c9e2a699f748bd0da9.png

The basic flow of OAuth2.0 protocol

88a28af961a01544e1808766d3add744.png

Similarities and differences between Access Token and password:

1. Access Token is the same as the password, which is the credential to obtain user data. The consequences of leaking AT are the same as leaking passwords.

2. Access Token is short-term, it will automatically expire after expiration, and the user cannot modify it; passwords are generally valid for a long time, and will not change without modification

3. Access Token can be revoked by the data owner, and it will take effect immediately after revoking, and passwords are generally not allowed to be revoked

4. Access Token has the scope of authority, namely Scope, which can specify what the holder can only do, and the person holding the password has full authority and can do all things

The design of Access Token allows third-party applications to obtain corresponding permissions and is controllable at any time without endangering the security of the system.

Four ways of OAuth 2.0

The first one is mainly introduced here.

1. Authorization code (authorization-code )

Means that the client first obtains an authorization code (Code), and then exchanges the authorization code for Access Token;

Usage scenario: The client has its own backend server

Features: The authorization code is transmitted through the front-end, while the AT is stored in the back-end server, through the back-end server to complete the interaction with the resource and the authorization server, the front-end and the back-end are separated, very safe

d8aababec0cb7300ce1f40e5ebb4a890.png

2. Hidden

Usage scenario: pure front-end application, no back-end server

Features: There is no authorization code, the AT is issued directly to the front-end, and the AT is stored in the front-end, which is not very secure and is suitable for scenarios with low security requirements

3. Password type

Use scenario: a situation where an application is highly trusted and other authorization methods cannot be used

Features: The user directly tells the user name and password to the third-party application, and the third-party application uses your password to apply for the token

4. Voucher

Usage scenario: Command line application without front end

Features: request tokens under the command line and trust third parties directly

Access Token expiration problem

AT has a time limit, and it needs to be re-obtained after it expires.

Two ways:

1. Obtain AT again according to the previous process, this kind of experience is not good;

2. The method given by OAuth2.0 is: Return a Refresh Token while returning Access Token. When AT (Access Token) expires, you can use RT (Refresh Token) to get AT again.

f9f5b662d1004aed457c346514703f1c.png

The above is the content of OAuth2.0 that I want to share, hoping to bring benefits to everyone's understanding. Next, I will share the contents of the OpenID Connect protocol. I hope you will continue to pay attention to this account.

I will continue to output high-quality content in related fields in the follow-up, and I hope you will continue to pay attention to this account!


Guess you like

Origin blog.51cto.com/15146142/2678603