1. Concept
OAuth is an open network standard about authorization, which is widely used all over the world. The current version is version 2.0. Version 1.0 was abandoned because of its cumbersome design.
The OAuth protocol provides a secure and simple standard for authorization of user resources. The difference from the previous authorization method is that the OAuth authorization will not allow the third party to touch the user's account information (such as user name and password), that is, the third party can apply for the user's resources without using the user's user name and password. Authorization, so OAuth is secure. OAuth is short for Open Authorization
There is no standard implementation of OAuth itself, and the back-end developers implement it according to actual needs and standard regulations. The steps are generally as follows:
1. The third party requires the user to grant authorization
2. The user agrees to the authorization
3. According to the authorization obtained in the previous step, the third party requests a token from the authentication server
4. The authentication server authenticates the authorization and issues the token after confirming that it is correct
5. The third party uses the token to request resources from the resource server
6. The resource server uses the token to confirm the correctness of the token to the authentication server, and provides resources after confirmation
2. OAuth members:
1.Resource Owner (resource owner: user)
2.Client (third-party access platform: requester)
3.Resource Server (server resource: data center)
4.Authorization Server (authentication server)
3. Idea flow
OAuth sets up an authorization layer between the "client" and the "service provider". The "client" cannot directly log in to the "service provider", but can only log in to the authorization layer, so as to distinguish the user from the client. The token (token) used by the "client" to log in to the authorization layer is different from the user's password. When logging in, the user can specify the permission scope and validity period of the authorization layer token.
After the "client" logs into the authorization layer, the "service provider" opens the user's stored data to the "client" according to the scope of authority and validity period of the token.
Authorization steps:
①Authorization Request, the third party requests user authorization
②Authorization Grant, after the user agrees to the authorization, a one-time user authorization credential (such as code code) will be obtained from the service provider to the third party
③Authorization Grant, the third party will give it the authorization credential and the service provider The identity credentials (such as AppId) are handed over to the service party to apply for an access token
④Access Token from the authentication server, and the authentication server checks the authorization credentials and other information
. Access Token asks the Resource Server for data
⑥Protected Resource, and the resource server uses the token to confirm the correctness of the token to the authentication server, and provides the resource after confirming that it is correct. In
this way, the service party can confirm that the third party has obtained the authorization of the user for this service (according to User authorization credentials), second, it can be determined that the identity of the third party can be trusted (according to the identity credentials), so the final result is that the third party successfully obtained the requested service from the service provider. From the above process, you
can It can be seen that OAuth2.0 completely solves the trust problem between the user, the service provider and the third party in a certain service
4. Authorization type:
In open authorization, the third-party application (Client) may be a Web site, or a piece of JavaScript code running in a browser, or an application program installed locally. These third-party applications have their own security features. For the Web site, it is separated from the RO browser, and it can save sensitive data in the protocol by itself, and these keys may not be exposed to the RO; for JavaScript code and local security applications, it runs In RO's browser, RO is the sensitive data that can be accessed by Client in the protocol.
OAuth has multiple authorization types, such as Authorization Code Grant, Implicit Grant, RO Credentials Grant (Resource Owner Password Credentials Grant), and Client Credentials Grant.
5. Update the token:
If the client's access token access_token has expired when the user visits, you need to use the update token refresh_token to apply for a new access token. The client issues an HTTP request to renew the token, containing the following parameters:
granttype: Indicates the authorization mode used, and the value here is fixed as "refreshtoken", which is required.
refresh_token: Indicates the refresh token received earlier, required.
scope: Indicates the authorization scope of the application, which cannot exceed the scope of the previous application. If this parameter is omitted, it means that it is consistent with the previous application.
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA6. Case reference
Facebook's Oauth2.0 authentication:
第一步:
App向 Oauth Server 请求的URL => https://facebook.com/dialog/oauth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=REDIRECT_URI&scope=email
里面带着该app的id,key,请求的类型,返回一串的access_token和事件类型code。
第二步:
回调,跳转到权限确认页面等待用户确认授权 => https://facebook.com/dialog/oauth?response_type=code&client_id=28653682475872&redirect_uri=example.com&scope=email
该页面通过redirect_uri,回调到指定的callback页面。
第三步:
利用返回的access_token,将app的id和key以及code代码发包到:POST https://graph.facebook.com/oauth/access_token
这一步是为了获取token。
第四步:
Oauth Server返回token,这个时候,就可以通过token获取用户授权的资源了。
Reference documents: