I haven't updated my blog recently, and I'm stuck on oAuth.
Before the company did unified identity authentication, I was stuck here for two days without knowing oAuth.
So I decided to study the principle carefully, and the theory guides the practice.
--
What is oAuth?
To put it simply, oAuth is an authentication method, which is now commonly used for third-party authentication, such as third-party access implemented by QQ, Weibo, etc.
--
oAuth flow?
First, I recommend Mr. Ruan's tutorial: Understanding OAuth 2.0
Here I just explain my understanding of the oAuth process. The specific teacher Ruan really said it very well.
Here first post a picture, taken from Mr. Ruan's Weibo, from RFC 6749.
The oAuth I understand is divided into these steps!
1: The client initiates an authentication request [to get the code, prepare for the next authentication request]
Understanding: When you use a QQ/WeChat to log in to a client, the client will initiate a request to the QQ/WeChat server to initiate a third-party authentication request.
Here is an example from Teacher Ruan's blog
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
Explain in detail the meaning of the specific parameters in this GET request
response_type: indicates the authorization type, required, the value here is fixed to "code" client_id: indicates the ID of the client, required redirect_uri: Indicates the redirect URI, and the data processed by the server will return this URL Scope: Indicates the scope of permission to apply, optional state: Indicates the current state of the client, any value can be specified, and the authentication server will return this value intact.
2: The server authenticates the request, by returning the code [in order to allow the client to use the code to exchange the Token]
Note: In order to ensure security, the life cycle of this code is very short, and the time is specified by the server.
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA
&state=xyz
3: The client uses the obtained code in exchange for Token (token) [to use the service in order to obtain Token]
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Explain in detail the meaning of the specific parameters in this POST request
grant_type: Indicates the authorization mode used, a required option. The value here is fixed to "authorization_code". code: indicates the authorization code obtained in the previous step, required. redirect_uri: Indicates the redirection URI, which is required and must be the same as the parameter value in step A. client_id: Indicates the client ID, required.
4: The server returns a Token for use by a third party [in order for the client to use the Token to call the corresponding service]
HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store
Pragma: no-cache
{ "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
5: After the client gets the access_token, it can use the services provided by the server
--
Only a normal oAuth process is explained here. The knowledge of oAuth is far more than this, and you can learn more if necessary.
Be sure to know that the oAuth process is practicing, otherwise it will really confuse you.