There is a "cloud printing" website, which can print photos of users stored in Google. In order to use the service, users must allow "cloud printing" to read the photos stored by the user on Google.
How to make cloud printing can access photos located on Google? The traditional method is that users tell "cloud printing" their Google username and password, and the latter can read the user's photos. This approach has many disadvantages, such as:
a) Cloud printing has access to all Google photos, but the actual situation is that we may only want to print a certain photo in Google
b) If the cloud printing website is hacked, Then the user name and password that can access Google photos saved on the cloud printing website will not be safe, but in fact the Google website has always been safe. The
above are just two of the many shortcomings of this approach. Obviously, this approach does not Security.
2. To this end, we have the OAuth2.0 protocol. The whole process of the OAuth2.0 protocol is Open Standard for Authentication. His idea is to add an authorization layer between cloud printing and Google, and the authorization layer issues an access to cloud printing for cloud printing. Google's AccessToken, and the authorization of this behavior requires the owner of Google Photos to complete. OAuth2.0 has 4 authorization modes. We take the most complex authorization code mode as an example to illustrate the workflow of OAuth2.0.
3. In Before explaining the workflow of OAuthn 2.0, let's look at a few special terms.
a) Client: Third-party application, also known as "client" in this article, and "cloud printing" in this article application.
b) Resource server: Resource server, that is, the server where the service provider stores the resources generated by the user. It and the authentication server can be the same server or a different server.
c) User Agent: User Agent, which in this article refers to the browser.
d) Authorization server: The authentication server, that is, the server specially used by the service provider to handle authentication.
e) Resource Owner: The resource owner, also known as "user" in this article.
4. The following figure is the process of the user authorizing the client through the browser.
1) The user clicks the authorization button
2) The client server redirects the request to the authorization server, and at the same time transmits the relevant information of the client and the authorization request and the address of the redirect server (Here refers to the Client address) is sent as a parameter to the authorization server.
3) The authorization server returns the authorization page, which requires the user to click OK
4) The user confirms the authorization
5) The authorization server redirects to the Client server and passes the authorization code as a parameter to Client server.
6) The client server requests the access token from the authorization server with the authorization code
7) the authorization server returns the AccessToken after verification
8] The client server returns the authorization success page.
5. After the user grants the temporary authorization to the client server to access a Resource Server , you can use the Client directly . You can directly use the cloud printing to print the recruitment located on Google. The user does not need to perceive this process. Because he has granted the Client server the permission to serve the Google server. The process is as follows:
1) The user accesses the application provided by the Client server and needs to access the Resource Server.
2) Client performs related service operations, this process requires access to Resource Server
3) Returns the result to the Client server
4) Returns the result