Single sign-on technical solution
To achieve single sign-on in a distributed system, the authentication system is usually extracted independently, and user identity information is stored in a separate storage medium, such as:
MySQL, Redis, considering performance requirements, usually stored in Redis.
The characteristics of single sign-on are:
1. The authentication system is an independent system.
2. Each subsystem communicates with the authentication system through Http or other protocols to complete user authentication.
3. User identity information is stored in the Redis cluster.
There are many user authentication frameworks in Java that can implement single sign-on:
1、Apache Shiro
2、CAS
3、Spring security CAS
Oauth2 authentication
Oauth2 authentication process
The third-party authentication technical solution is mainly to solve the general standard problem of the authentication protocol, because in order to realize cross-system authentication, certain
interface protocols must be followed between the systems.
The OAUTH protocol provides a safe, open and simple standard for authorization of user resources. At the same time, any third party can use the OAUTH authentication
service, and any service provider can implement its own OAUTH authentication service, so OAUTH is open. The industry provides multiple implementations of OAUTH
such as PHP, JavaScript, Java, Ruby and other language development kits, which greatly saves programmers' time, so OAuth is simple. Many Internet
services such as Open API, and many large companies such as Google, Yahoo, and Microsoft provide OAUTH authentication services. These are enough to show that the
OAUTH standard has gradually become the standard for open resource authorization.
The Oauth protocol has been developed to version 2.0. Version 1.0 is too complicated, and version 2.0 has been widely used.
Reference: https://baike.baidu.com/item/oAuth/7153134?fr=aladdin
Oauth protocol: https://tools.ietf.org/html/rfc6749
An example of Oauth2 authentication is analyzed below, a website uses WeChat authentication The process:
1. The client requests third-party authorization.
The user enters the login page of the dark horse program, clicks the WeChat icon to log in to the system with the WeChat account, and the user is the resource owner of the information in WeChat.
Click on "WeChat" and a QR code will appear. At this time, the user scans the QR code and begins to authorize the dark horse programmer.
2. The resource owner agrees to authorize the client. The
resource owner scans the QR code to indicate that the resource owner agrees to authorize the client. WeChat will verify the identity of the resource owner. After the verification is passed, WeChat will ask the user whether to
authorize The dark horse programmer accesses his own WeChat data, and the user clicks "Confirm Login" to agree to the authorization. The WeChat authentication server will
issue an authorization code and redirect to the dark horse programmer's website.
3. The client obtains the authorization code and requests the authentication server to apply for a token.
This process is invisible to the user, and the client application requests the authentication server to carry the authorization code.
4. The authentication server responds to the client with a token. The
authentication server verifies the authorization code requested by the client. If it is legal, it issues a token to the client. The token is the passport for the client to access resources.
The user cannot see this interaction process. When the client gets the token, the user can see that the login has been successful in the dark horse programmer.
5. The client requests the resources of the resource server
The client carries the token to access the resources of the resource server.
The Dark Horse Programmer website carries the token and requests to access the WeChat server to obtain the basic information of the user.
6. The resource server returns the protected resource.
The resource server verifies the legitimacy of the token, and if it is legal, responds to the resource information content to the user.
Note: The resource server and the authentication server can be one service or separate services. If they are separate services, the resource server usually needs to request the authentication server
to verify the legitimacy of the token.
The Oauth2.0 authentication process is as follows:
Quoted from the Oauth2.0 protocol rfc6749 https://tools.ietf.org/html/rfc6749
Oauth2 includes the following roles:
1. The client
itself does not store resources, and needs to be authorized by the resource owner to request resources from the resource server, such as: Xuecheng Online Android client, Xuecheng Online Web
client (browser), WeChat client, etc.
2. The resource owner
is usually a user, or an application program, that is, the owner of the resource.
3. The authorization server (also called the authentication server)
is used to authenticate the identity owned by the resource and authorize access to the resource. If the client wants to access resources, it needs to be authorized by the resource owner through the authentication server
before accessing.
4. Resource server
A server that stores resources. For example, Xuecheng.com user management server stores Xuecheng.com user information, Xuecheng.com learning server stores student learning information, WeChat resource service stores WeChat user information,
etc. The client finally accesses the resource server to obtain resource information.