The difference and understanding between SSO single sign-on and OAuth2.0

News 2023-05-05 18:21:55 views: null

I. Overview

SSO is the abbreviation of Single Sign On, and OAuth is the abbreviation of Open Authority, both of which use tokens to replace user passwords to access applications. Process-wise they are very similar, but conceptually very different. Everyone should be familiar with SSO. It separates login authentication from business systems, uses an independent login center, and realizes that after logging in to the login center, all related business systems can access resources without login.

The principle of OAuth2.0 may be relatively unfamiliar, but it is used a lot in daily life. For example, when you visit a website and want to leave a message but do not want to register, you use WeChat authorization. For both of the above, you do not have an account and password in the business system, and the account and password are stored in the login center or the WeChat server. This is the so-called use of tokens instead of account passwords to access applications.

Community book donation benefits are in progress: http://spring4all.com/ 

64e832bb2a46fa2cca272a6859c8deab.png

2. SSO

There are many similarities between the two, so let's explain the process below. Let's explain SSO first. By comparing SSO with OAuth2.0, it is better to understand the principle of OAuth2.0. There are many frameworks for the implementation of SSO, such as the CAS framework. The following is the official flowchart of the CAS framework. Special attention: SSO is an idea, and CAS is just a framework to realize this idea

5cd6d8916df1e1da0635ff2817907e7f.png

The above process is roughly:

  • The user enters the URL to enter the business system Protected App, and the system finds that the user is not logged in, and redirects the user to the single sign-on system CAS Serverwith its own address service parameter

  • The user's browser is redirected to the single sign-on system, and the system checks whether the user is logged in. This is the first interface of the SSO (here, CAS) system. If the user is not logged in, the interface will redirect the user to the login interface. If If logged in, set the global session and redirect to the business system

  • The user fills in the password and submits the login. Note that the login interface at this time is provided by the SSO system. Only the SSO system saves the user's password.

  • The SSO system verifies whether the password is correct, and if it is correct, redirects to the business system with the ticket issued by the SSO system

  • The browser is redirected to the login interface of the business system. This login interface does not require a password, but carries an SSO ticket. The business system uses the ticket to request the SSO system to obtain user information. And set a local session, indicating that the login is successful and returned to the browser sessionId(called in tomcat JSESSIONID)

  • After that, all interactions sessionIdcan be done by interacting with the business system

The most common example is that when we open the Taobao APP, there will be links to Tmall, Juhuasuan and other services on the homepage. When you click on it, you will skip it directly and will not let you log in again.

aeeda004ccb2c9fa6ac396c3a41a7a8f.png

3. OAuth2.0

There are many modes of OAuth2.0. Here we are talking about the OAuth2.0 authorization code mode. The process of OAuth2.0 is similar to that of SSO. In OAuth2, there are several roles such as authorization server, resource server and client. When we use it When implementing SSO, the role of resource server is not required, and the authorization server and client are enough.

The authorization server is of course used for authentication, and the client is each application system. We only need to get the user information and the permissions of the user after successful login.

  • When a user clicks on a website to use WeChat authorization, a website here is similar to a business system, and the WeChat authorization server is similar to a single sign-on system

  • After that, the WeChat authorization server returns a confirmation authorization page, which is similar to the login interface. Of course, this page belongs to WeChat rather than the business system.

  • The user confirms the authorization, similar to filling in the account number and password. After submission, WeChat authenticates and returns a ticket, and redirects the business system.

  • The business system accesses the WeChat server with a ticket, and the WeChat server returns the official token, and the business system can use the token to obtain user information

Briefly introduce the four modes of OAuth2.0:

Authorization code (authorization-code)

The authorization code method means that the third-party application first applies for an authorization code, and then uses the code to obtain a token. This method is the most commonly used process and has the highest security. It is suitable for those web applications with backends. The authorization code is sent through the front end, the token is stored in the back end, and all communication with the resource server is done in the back end. Such separation of front and back ends can avoid token leakage.

hidden (implicit)

Some web applications are pure front-end applications with no back-end. At this time, the above method cannot be used, and the token must be stored in the front end. RFC 6749 specifies the second way, allowing tokens to be issued directly to the frontend. This method has no intermediate step of authorization code, so it is called (authorization code) "implicit" (implicit)

Password (password)

If you highly trust an application, RFC 6749 also allows users to directly tell the application their username and password. The application uses your password to apply for a token, which is called a "password".

client credentials

The last method is client credentials, which is suitable for command-line applications without front-ends, that is, tokens are requested under the command line.

simple process

5abd58edea93b2181be652eee83b45d8.png

Fourth, talk about the difference between several nouns

First of all, SSO is an idea, or a solution, which is abstract, and what we have to do is to implement it according to its idea

Secondly, OAuth2 is a protocol used to allow users to authorize third-party applications to access his resources on another server. It is not used for single sign-on, but we can use it to achieve single sign-on. In the process of implementing SSO in this example, the protected resource is the user's information (including the user's basic information and the user's permissions), and we need to log in and authorize the user to access this resource, OAuth2 The server is responsible for token issuance and other operations. We use JWT to generate the token, which means that JWT is used to carry the user's Access_Token

Finally, Spring Security and Shiro are used for secure access and access control. They are all frameworks written in Java.

Source : ximeneschen.blog.csdn.net/article/details/115182080

------

We have created a high-quality technical exchange group. When you are with excellent people, you will become excellent yourself. Hurry up and click to join the group and enjoy the joy of growing together. In addition, if you want to change jobs recently, I spent 2 weeks a year ago collecting a wave of face-to-face experience from big factories. If you plan to change jobs after the festival, you can click here to claim it !

recommended reading

··································

Hello, I am DD, a programmer. I have been developing a veteran driver for 10 years, MVP of Alibaba Cloud, TVP of Tencent Cloud. From general development to architect to partner. Along the way, my deepest feeling is that we must keep learning and pay attention to the frontier. As long as you can persevere, think more, complain less, and work hard, it will be easy to overtake on curves! So don't ask me if it's too late to do what I do now. If you are optimistic about something, you must persevere to see hope, not to persevere only when you see hope. Believe me, as long as you stick to it, you will be better than now! If you have no direction yet, you can follow me first, and I will often share some cutting-edge information here to help you accumulate capital for cornering and overtaking.

Guess you like

Origin blog.csdn.net/j3T9Z7H/article/details/130355121
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com