What is OAuth2.0

Preface

OAuth (Open Authorization) is an open network standard for authorization that allows users to authorize third-party applications to access their information stored on other service providers without providing usernames and passwords to third-party mobile applications or share everything about their data. OAuth is widely used around the world, and the current version is version 2.0

1. Why use OAuth2.0?

In the preface, we introduced the role of OAuth2.0, but why should we choose OAuth2.0 compared with other login methods?

Case explanation:

In our daily life, many applications require login, but in an ordinary App, we usually use the account and password to log in, so we need to enter the account and password every time we log in. At this time Someone must have said that I can remember the password on my device after logging in once. So if I change the device, I still need to enter the account and password. Therefore, the security is often greatly increased when the account and password are frequently used to log in. Reduced. At this time, the role of OAuth2.0 is reflected. When we use a third-party account to log in, we only need to authorize the current App program or website. We do not need to frequently use the account password to log in, which greatly reduces the cost. This reduces the risk of our account and password being leaked. Taking our WeChat login as an example, WeChat has a powerful authentication mechanism and can also manage the permissions authorized by the website. This not only provides a better experience for the management of our permissions, but also Improved security of our users’ information

Summary: OAuth provides a more secure, convenient and user-friendly authentication and authorization mechanism, especially suitable for applications that need to integrate third-party services

 2. OAuth2.0 authorization mechanism

1.OAuth2.0 role

1. Resource Owner : Usually the end user, who owns resources (such as data) and needs to authorize third-party applications to access these resources.

2. Client : A third-party application that wishes to access the resource owner's protected resources.

3. Authorization Server : Responsible for authenticating resource owners and issuing Access Tokens to clients.

4. Resource Server : Protects controlled resources and only provides access to valid access token holders.

2.OAuth2.0 authorization process 

 2.1Authorization Code Grant:

1. Client redirection : The client redirects the user to the authorization server, requests authorization, and provides its own identity.

2. User authorization : The user logs in on the authorization server and agrees to authorize the client.

3. Authorization code issuance : The authorization server generates an authorization code and passes it to the client.

4. Token request : The client uses the authorization code to request an access token (Access Token).

5. Access token issuance : The authorization server verifies the authorization code and, if valid, issues an access token.

6. Resource access : The client uses an access token to access protected resources on the resource server.

Token Features:

1. Tokens are time-sensitive and are generally short-term and cannot be modified. Passwords are generally valid for a long time.
2. The token can be revoked by the issuer and takes effect immediately. The password can generally be valid for a long time without modification.
3. Tokens can set the scope of permissions and cannot be modified by users.

When using the token, you need to ensure the confidentiality of the token. Once the token is verified to be valid, you can enter the system and no other verification will be done.

2.2 Password authorization mode (Resource Owner Password Credentials Grant):

1. User Credentials : The user provides their username and password directly to the client.

2. Token request : The client requests an access token from the authorization server using the credentials provided by the user.

3. Access token issuance : The authorization server verifies the user's credentials and, if valid, issues an access token.

4. Resource access : The client uses an access token to access protected resources on the resource server.

2.3 Client Credentials Grant:

1. Client authentication : The client uses its own credentials to request an access token from the authorization server.

2. Access token issuance : The authorization server verifies the client's identity and, if valid, issues an access token.

3. Resource access : The client uses an access token to access protected resources on the resource server.

2.4 Simplified (implicit) mode (Implicit Grant)

1. Redirect to the authorization server : The client directly redirects the user to the authorization server and requests authorization. Unlike the authorization code authorization process, the authorization code exchange step is not required.

2. User authorization : The user logs in on the authorization server and agrees to the authorization request.

3. Directly issue token : The authorization server directly returns the access token to the client and no longer issues an authorization code. This token is received directly by the browser and passed to the client during the redirection process.

4. Access resources : The client uses the obtained access token to access protected resources on the resource server.