OAuth 2.0 is the most popular of the authorization mechanism to authorize third-party applications, access to user data.
This standard is more abstract, using a lot of terminology, not easy for beginners to understand. In fact, that is not so complicated, here I through a simple analogy to help people understand easily what OAuth 2.0 in the end yes.
A courier problem
I live in a large residential area.
Cell system has access.
When the need to enter a password.
I often online shopping and take-away, there is every day courier delivery. I had to find a way to let the courier through access control systems, into the area.
If I put my password and told the courier, he and I have the same rights, so that does not seem appropriate. What if I want to cancel his powers into the area, but also a lot of trouble, I have to follow my password changed, have to inform other couriers.
Is there a way to allow free access to the courier district, and district residents do not have to know the password, but his delivery is the only authority, requires a password other occasions, he did not have permission?
Second, the design authorization mechanism
So, I designed a licensing mechanism.
The first step, PIN pad access control systems below, add a button called "Get authorization." Courier need to press this button, to apply for authorization.
The second step, he will press the button, the owner (that is, me) phone will jump out of the dialog box: Some people are demanding authorization. The system also displays the name of the courier company courier, and job number belongs to.
I confirm that the request is true, then click the button to tell the access control system, I agreed to give him authorization to enter the cell.
The third step, access control systems to get my confirmation, into the area of a display token (access token) to the courier. Token is a string of numbers is similar to a password, only (such as seven days) in the short run.
The fourth step, courier input token to the access control system into the cell.
One might ask, why is not remote for the courier to open the door, and to generate a token for him alone? This is possible because the courier delivery day will come, the next day he can reuse this token. In addition, some district has multiple access control, couriers can use the same token through them.
Third, the Internet scene
We moved to the above example the Internet, it is designed OAuth.
首先,居民小区就是储存用户数据的网络服务。比如,微信储存了我的好友信息,获取这些信息,就必须经过微信的"门禁系统"。
其次,快递员(或者说快递公司)就是第三方应用,想要穿过门禁系统,进入小区。
最后,我就是用户本人,同意授权第三方应用进入小区,获取我的数据。
简单说,OAuth 就是一种授权机制。数据的所有者告诉系统,同意授权第三方应用进入系统,获取这些数据。系统从而产生一个短期的进入令牌(token),用来代替密码,供第三方应用使用。
四、令牌与密码
令牌(token)与密码(password)的作用是一样的,都可以进入系统,但是有三点差异。
(1)令牌是短期的,到期会自动失效,用户自己无法修改。密码一般长期有效,用户不修改,就不会发生变化。
(2)令牌可以被数据所有者撤销,会立即失效。以上例而言,屋主可以随时取消快递员的令牌。密码一般不允许被他人撤销。
(3)令牌有权限范围(scope),比如只能进小区的二号门。对于网络服务来说,只读令牌就比读写令牌更安全。密码一般是完整权限。
上面这些设计,保证了令牌既可以让第三方应用获得权限,同时又随时可控,不会危及系统安全。这就是 OAuth 2.0 的优点。
注意,只要知道了令牌,就能进入系统。系统一般不会再次确认身份,所以令牌必须保密,泄漏令牌与泄漏密码的后果是一样的。 这也是为什么令牌的有效期,一般都设置得很短的原因。
OAuth 2.0 对于如何颁发令牌的细节,规定得非常详细。具体来说,一共分成四种授权类型(authorization grant),即四种颁发令牌的方式,适用于不同的互联网场景。下一篇文章,我就来介绍这四种类型,并给出代码实例。
(完)
转:http://www.ruanyifeng.com/blog/2019/04/oauth_design.html