1. Introduction to Oauth2
1.1 Introduction
The main purpose of the third-party authentication technology solution is to solve the problem of the general standard of the authentication protocol, because to achieve cross-system authentication, each system must follow a certain interface protocol.
The OAUTH protocol provides a secure, open and simple standard for the authorization of user resources. At the same time, any third party can use the OAUTH authentication service, and any service provider can implement its own OAUTH authentication service, so OAUTH is open. The industry provides a variety of OAUTH implementations such as PHP, JavaScript, Java, Ruby and other language development kits, which greatly saves the programmer's time, so OAUTH is simple. Many Internet services such as Open API, and many large companies such as Google, Yahoo, Microsoft, etc. have provided OAUTH authentication services, which are enough to show that the OAUTH standard has gradually become the standard for open resource authorization.
The Oauth protocol is currently developed to version 2.0. Version 1.0 is too complicated, and version 2.0 has been widely used.
Reference: https://baike.baidu.com/item/oAuth/7153134?fr=aladdin
Oauth protocol: https://tools.ietf.org/html/rfc6749
Let's analyze an example of Oauth2 authentication, the process of the website using WeChat authentication:
- The user enters the login page of the website and clicks the WeChat icon to log in to the system with the WeChat account. The user is the resource owner of his own information in WeChat.
Click "WeChat" and a QR code will appear. At this time, the user scans the QR code and starts to authorize the website.
- The resource owner agrees to authorize the client
The resource owner scans the QR code to indicate that the resource owner agrees to authorize the client. WeChat will verify the identity of the resource owner. After the verification is passed, WeChat will ask the user whether to allow the authorized website to access his WeChat data, and the user clicks "Confirm" "Login" means agreeing to the authorization, the WeChat authentication server will issue an authorization code and redirect to the website.
- The client obtains the authorization code and requests the authentication server to apply for a token
The user cannot see this process, and the client application requests the authentication server to carry the authorization code.
- The authentication server responds with a token to the client
The authentication server verifies the authorization code requested by the client, and issues a token to the client if it is valid. The token is the pass for the client to access resources. The user cannot see this interaction process. When the client gets the token, the user sees that the login has been successful on the website.
- The client requests the resource of the resource server
The client carries the token to access the resources of the resource server. The website carries the token to request access to the WeChat server to obtain the basic information of the user.
- The resource server returns a protected resource
The resource server verifies the validity of the token, and responds to the user with the resource information content if it is valid.
Note: The resource server and the authentication server can be a service or a separate service. If they are separate services, the resource server usually requests the authentication server to verify the validity of the token.
The Oauth2.0 authentication process is as follows:
Quoted from Oauth2.0 protocol rfc6749 https://tools.ietf.org/html/rfc6749
1.2 Roles
client
It does not store resources itself, and requires the authorization of the resource owner to request the resources of the resource server, such as: Android client, Web client (browser), WeChat client, etc.
resource owner
Usually the user, but also the application, that is, the owner of the resource.
Authorization server (also called authentication server)
Used to authenticate the identity of the resource and authorize access to the resource. If the client wants to access the resource, it needs to be authorized by the resource owner through the authentication server.
resource server
The server that stores resources, for example, the website user management server stores website user information, the website photo album server stores user photo album information, and the WeChat resource service stores WeChat user information. The client finally accesses the resource server to obtain resource information.
1.3 Common terms
客户凭证(client Credentials): The clientId and password of the client are used to authenticate the client令牌(tokens): The access token issued by the authorization server after receiving the client request作用域(scopes): Additional subdivision permissions (permission) specified by the resource owner when the client requests an access token
1.4 Token Types
-
授权码: only for authorization code grant type, used in exchange to get access token and refresh token -
访问令牌: used to access protected resources directly on behalf of a user or service -
刷新令牌: used to de-authorize the server to obtain a refresh access token -
BearerToken: Whoever gets the Token can access the resource, similar to cash -
Proof of Possession(PoP) Token: You can check whether the client has clear ownership of the Token
1.5 Features
Advantages :
More secure, the client does not touch the user password, and the server is easier to centrally protect
Widespread and sustained adoption
Short-lived and encapsulated tokens
Resource server and authorization server decoupling
Centralized authorization, simplified client
HTTP/JSON friendly, easy to request and pass tokens
Consider multiple client architecture scenarios
Customers can have different trust levels
Disadvantages :
The protocol framework is too broad, resulting in poor compatibility and interoperability of various implementations
is not an authentication protocol, and by itself does not tell you any user information.
2. Authorization Mode
2.1 Authorization Code Mode
2.2 Simplified authorization mode (Implicit)
2.3 Password Mode (Resource Owner PasswordCredentials)
2.4 Client Credentials
2.5 Refresh token
