OAuth2 basics

Enterprise 2023-09-29 18:59:41 views: null

What is OAuth 2

  1. OAuth 2.0 is an authorization protocol whose core is authorization permission and token mechanism.

  2. It allows third parties to access the user's data on behalf of the user by issuing access tokens to third parties, rather than directly giving the third party a username and password.

  3. It is mainly used to protect the Web API interface. Third parties can only access the API after obtaining authorization and access tokens.

  4. It enables third-party software to securely access data on behalf of users without increasing security risks.

  5. The typical authorization process includes: user login, user authorization, issuance of authorization code, third party exchanging authorization code for access token, and third party using access token to obtain data.

  6. OAuth 2.0 is used in many scenarios, such as logging in to other apps with WeChat, using WeChat applets, etc.

  7. Authorization code permission is the most complete and secure authorization method in OAuth 2.0.

  8. The core idea of ​​OAuth 2.0 can be applied to different scenarios, ensuring communication security while improving user experience.

Requirements for authorization codes

  1. In OAuth2.0, access tokens need to be highly confidential and cannot be directly exposed in the browser. If you do not use an authorization code, you can only communicate through the backend when obtaining the access token, and you cannot establish a "connection" between the user and the client.

  2. Using the authorization code can achieve two redirections, which not only ensures security but also improves user experience. The first redirection is used to obtain the authorization code, and the second redirection is used to re-establish the connection between the user and the client.

  3. As a temporary credential, the authorization code can be exposed on the front end, while the access token can only be transferred on the back end. This not only meets the requirements of communication security, but also achieves a smooth user experience.

  4. The authorization code realizes the combination of indirect communication to obtain the authorization code and direct communication to obtain the access token, perfectly organizing the interaction of the four roles of OAuth2.0.

  5. The idea of ​​authorization code permission can be transplanted to other scenarios. For example, a similar process is used in WeChat mini programs.

  6. Generally speaking, the authorization code mechanism makes the authorization code permission type the most complete and secure authorization process in OAuth2.0.

work process

The workflow of the authorization service can be summarized as follows:

  1. The authorization service is responsible for issuing access tokens and is the core of OAuth 2.0.

  2. Its work can be divided into two parts: issuing authorization codes and issuing access tokens.

  3. Issuing an authorization code requires preparation work, including verifying basic information, verifying permission scope, and generating an authorization page.

  4. After the user is authorized, continue to verify the permission scope, generate and bind the authorization code, and redirect the callback address.

  5. Issuing an access token requires verifying third-party software information, verifying authorization codes, generating access tokens, and binding information.

  6. At the same time, a refresh token is generated, which is used to reacquire the access token after it expires.

  7. Using a refresh token requires verifying information and regenerating the access token.

  8. The scope of permissions needs to be verified throughout the entire process to ensure the principle of least authorization.

  9. The authorization service takes away the complexity and makes it easier for third-party software to access OAuth 2.0.

JWT token

Regarding JWT tokens, the following key points can be summarized:

  1. JWT is a structured token format, including HEADER, PAYLOAD, and SIGNATURE.

  2. HEADER represents header information, PAYLOAD represents the data body, and SIGNATURE is the signature.

  3. JWT can contain user authorization information in the token without requiring a database or RPC query.

  4. Using JWT can implement token internal inspection, and protected resources can directly parse JWT.

  5. The advantages of JWT are computing instead of storage, forcing encryption, and enhancing system availability.

  6. The disadvantage of JWT is that the token status cannot be modified during use and requires supporting key management.

  7. Tokens have three life cycles: natural expiration, use of refresh tokens, and active revocation.

  8. To third-party software, the token remains opaque and core services need to pay attention to the token.

  9. JWT is suitable for scenarios where information needs to be transmitted securely without relying on state.

How to securely and quickly access OAuth 2

Regarding third-party software and protected resource services accessing OAuth 2.0, the following points can be summarized:

  1. Third-party software needs to pay attention to registration information, boot authorization, use access tokens, and use refresh tokens.

  2. When booting authorization, the user needs to be redirected to the authorization service for authorization.

  3. When using access tokens, it is recommended to submit them as form parameters rather than URI query parameters or request header fields.

  4. When using refresh tokens, you need to pay attention to the validity period of the access token to avoid frequent reauthorization.

  5. Protected resource services need to verify access tokens and pay attention to permission scope. Commonly used permissions include different permissions corresponding to different operations, data, and users.

  6. You can use API gateway to handle permission verification uniformly to avoid duplicating this logic for each resource service.

  7. Third-party software cares about obtaining and using tokens, and resource services care about verifying tokens and permission control.

  8. Both of them only need to focus on their own responsibilities and do not have to deal with all the complex processes of OAuth 2.0.

OAuth3 authorization types

OAuth 2.0 defines 4 authorization types:

Authorization Code Grant

Obtain the access token through the authorization code temporary credential, which has the most complete process and the highest security.

Implicit Grant

The access token is returned directly in the front-end communication, no authorization code is required. Suitable for pure front-end applications.

Resource Owner Password Credentials Grant

Get access token directly using username and password. Suitable for highly trusted official software.

Client Credentials Grant

The client obtains the access token directly through app_id and app_secret without user participation. Suitable for accessing public data.

The main difference between these 4 authorization types is the way to obtain the access token. When selecting an authorization type, you need to weigh it based on the application scenario and security requirements, and give priority to authorization code permission types with higher security.

Regarding the four authorization types of OAuth2.0, the following key points can be summarized:

  1. The authorization code permission type is the authorization method with the most complete process and the highest security.

  2. Resource owner credential licensing is available for official software, use username and password to obtain tokens.

  3. Client credential permissions are used to get public data, using app_id and app_secret to get the token.

  4. Implicit permission is suitable for pure browser-side applications and returns the access token directly on the front end.

  5. When selecting an authorization type, give priority to the authorization code license, and then select the most suitable type based on the actual scenario.

  6. The way to obtain the access token is the biggest difference between the four authorization types.

  7. All types are designed to solve authorization problems in actual scenarios and need to be selected based on specific circumstances.

  8. In non-browser environments, consider client credential permissions or resource owner credential permissions.

  9. According to the principle of security priority, choose the most suitable authorization type.

Guess you like

Origin blog.csdn.net/xielinrui123/article/details/132796833
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com