If you're driving to a hotel for dinner, you'll often lose a lot of time because you can't find a parking space. Is there a good way to avoid this problem? Yes, I heard that some owners of luxury cars are not worried about this problem. Luxury cars are generally equipped with two types of keys: a master key and a parking key. When you arrive at the hotel, you only need to hand over the parking key to the waiter, and the waiter will handle the parking. Compared to the master key, the function of this parking key is limited: it can only start the engine and drive the car for a limited distance, it can lock the car, but it cannot open the trunk or use other equipment in the car. Here is a simple "open authorization" idea: through a parking key, the owner can authorize some functions of the car (such as starting the engine, driving a limited distance) to the waiter.
Authorization is an ancient concept, and it is a feature that a multi-user system must support. For example, Alice and Bob are both Google users, so Alice should be able to authorize Bob's access to her photos. But please note that this kind of authorization is a closed authorization, which only supports mutual authorization between users within the system, but cannot support authorization with other external systems or users. For example, Alice wants to use the "NetEase Printing Service" to print out some of her photos. How can she do it?
Some people will definitely say that Alice can tell NetEase Printing Service her Google username and password, and the matter will be solved? Yes, but only students who are not concerned about security and privacy will make this "trick". So let's think about it, what are the problems with this "trick"? (1) Alice's username and password may be cached by NetEase Printing Services, and may not be encrypted. Once it was attacked, Alice would lie down and be shot. (2) The NetEase Imaging service can access all Alice's resources on Google, and Alice cannot perform minimal permission control on them, such as only allowing access to a certain photo, and the access is valid within 1 hour. (3) Alice cannot revoke her individual authorization unless Alice updates her password.
In the era of cloud computing centered on Web services, the authorization needs of user Alice have become increasingly urgent and prosperous, and "Open Authorization" was born because of this, which is intended to help Alice authorize her resources to A third-party application that supports fine-grained permission control and will not leak Alice's password or other authentication credentials.
According to different application scenarios, there are currently two methods for implementing open authorization: one is to use the OAuth protocol [1]; the other is to use the IAM service [2]. The OAuth protocol is mainly suitable for open authorization of resources for individual users, such as Google's user Alice. OAuth is characterized by "on-site authorization" or "online authorization": the client mainly accesses resources through the browser, and Alice's resource owner identity needs to be authenticated during authorization, and Alice's on-site approval is required. OAuth is generally widely used in SNS services, such as Weibo. The IAM service is different. It is characterized by "pre-authorization" or "offline authorization": the client mainly accesses resources through the REST API, and the resource owner can know in advance the resource requests required by third-party applications. will rarely change. IAM services are generally used in cloud computing services, such as AWS services and Alibaba Cloud computing services.
This article mainly introduces OAuth open authorization. I'll cover open authorization as an IAM service in another blog post. Let me introduce the OAuth 2.0 protocol, the instantiation description of the protocol, and the security analysis.
2. OAuth 2.0 Protocol
OAuth 2.0 is a popular practice at present, and it was first used by Google, Yahoo, Microsoft, Facebook, etc. The reason why it is marked as 2.0 is because there was a 1.0 protocol initially, but this 1.0 protocol was made too complicated and was not easy to use, so it was not popularized. 2.0 is a new design, the protocol is simple and clear, but it is not compatible with 1.0, it can be said that it has nothing to do with 1.0. So, I will only introduce 2.0.
http://www.open-open.com/lib/view/open1392863557428.html
http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html