Interviewer: Tell me the difference between SSO single sign-on and OAuth2.0

您好，我是路人，更多优质文章见个人博客：http://itsoku.com

I. Overview

SSO is the abbreviation of Single Sign On, and OAuth is the abbreviation of Open Authority, both of which use tokens to replace user passwords to access applications. Process-wise they are very similar, but conceptually very different. Everyone should be familiar with SSO. It separates login authentication from business systems, uses an independent login center, and realizes that after logging in to the login center, all related business systems can access resources without login.

The principle of OAuth2.0 may be relatively unfamiliar, but it is used a lot in daily life. For example, when you visit a website and want to leave a message but do not want to register, you use WeChat authorization. For both of the above, you do not have an account and password in the business system, and the account and password are stored in the login center or the WeChat server. This is the so-called use of tokens instead of account passwords to access applications.

2. SSO

There are many similarities between the two, so let's explain the process below. Let's explain SSO first. By comparing SSO with OAuth2.0, it is better to understand the principle of OAuth2.0. There are many frameworks for the implementation of SSO, such as the CAS framework. The following is the official flowchart of the CAS framework. Special attention: SSO is an idea, and CAS is just a framework to realize this idea

The above process is roughly:

The user enters the URL to enter the business system Protected App, and the system finds that the user is not logged in, and redirects the user to the single sign-on system CAS Serverwith its own address service parameter
The user's browser is redirected to the single sign-on system, and the system checks whether the user is logged in. This is the first interface of the SSO (here, CAS) system. If the user is not logged in, the interface will redirect the user to the login interface. If If logged in, set the global session and redirect to the business system
The user fills in the password and submits the login. Note that the login interface at this time is provided by the SSO system. Only the SSO system saves the user's password.
The SSO system verifies whether the password is correct, and if it is correct, redirects to the business system with the ticket issued by the SSO system
The browser is redirected to the login interface of the business system. This login interface does not require a password, but carries an SSO ticket. The business system uses the ticket to request the SSO system to obtain user information. And set a local session, indicating that the login is successful and returned to the browser sessionId(called in tomcat JSESSIONID)
After that, all interactions sessionIdcan be done by interacting with the business system

The most common example is that when we open the Taobao APP, there will be links to Tmall, Juhuasuan and other services on the homepage. When you click on it, you will skip it directly and will not let you log in again.

3. OAuth2.0

There are many modes of OAuth2.0. Here we are talking about the OAuth2.0 authorization code mode. The process of OAuth2.0 is similar to that of SSO. In OAuth2, there are several roles such as authorization server, resource server and client. When we use it When implementing SSO, the role of resource server is not required, and the authorization server and client are enough.

The authorization server is of course used for authentication, and the client is each application system. We only need to get the user information and the permissions of the user after successful login.

When a user clicks on a website to use WeChat authorization, a website here is similar to a business system, and the WeChat authorization server is similar to a single sign-on system
After that, the WeChat authorization server returns a confirmation authorization page, which is similar to the login interface. Of course, this page belongs to WeChat rather than the business system.
The user confirms the authorization, similar to filling in the account number and password. After submission, WeChat authenticates and returns a ticket, and redirects the business system.
The business system accesses the WeChat server with a ticket, and the WeChat server returns the official token, and the business system can use the token to obtain user information

Briefly introduce the four modes of OAuth2.0:

Authorization code (authorization-code)

The authorization code method means that the third-party application first applies for an authorization code, and then uses the code to obtain a token. This method is the most commonly used process and has the highest security. It is suitable for those web applications with backends. The authorization code is sent through the front end, the token is stored in the back end, and all communication with the resource server is done in the back end. Such separation of front and back ends can avoid token leakage.

hidden (implicit)

Some web applications are pure front-end applications with no back-end. At this time, the above method cannot be used, and the token must be stored in the front end. RFC 6749 specifies the second way, allowing tokens to be issued directly to the frontend. This method has no intermediate step of authorization code, so it is called (authorization code) "implicit" (implicit)

Password (password)

If you highly trust an application, RFC 6749 also allows users to directly tell the application their username and password. The application uses your password to apply for a token, which is called a "password".

client credentials

The last method is client credentials, which is suitable for command-line applications without front-ends, that is, tokens are requested under the command line.

simple process

Fourth, talk about the difference between several nouns

First of all, SSO is an idea, or a solution, which is abstract, and what we have to do is to implement it according to its idea

Secondly, OAuth2 is a protocol used to allow users to authorize third-party applications to access his resources on another server. It is not used for single sign-on, but we can use it to achieve single sign-on. In the process of implementing SSO in this example, the protected resource is the user's information (including the user's basic information and the user's permissions), and we need to log in and authorize the user to access this resource, OAuth2 The server is responsible for token issuance and other operations. We use JWT to generate the token, which means that JWT is used to carry the user's Access_Token