OAuth 2.0 defines four Authorization
- Authorization code pattern (authorization code)
- Simplified mode (Implicit)
- Password mode (resource owner password credentials)
- Client mode (client credentials)
authorization code mode is the most complete, most rigorous authorization process mode herein, this is mainly to understand this model
Authorization code pattern roughly divided into five steps
- The client (Client) to the service provider (HTTP service) application to create a client (Client_id, Client_Secret).
- User (Resource Owner) by the browser (User Agent) opened, jump to the authorization page, the client asks the user authorization.
- User agrees to give the client authorization, return authorization code (Code).
- By client authorization code, the authentication server (Authorization server) application token (Access Token).
- The client through the token, access to resources to the resource server (Resource server).
1. Get Code
response_type:表示授权类型,必选项,此处的值固定为"code"
client_id:表示客户端的ID,必选项
redirect_uri:表示重定向URL,可选项
scope:表示申请的权限范围,可选项
state:表示客户端的当前状态,可以指定任意值,认证服务器会原封不动地返回这个值。2. Return Code (user authorization returned to redirect URL)
code:表示授权码,必选项。
state:如果客户端的请求中包含这个参数,认证服务器的回应也必须一模一样包含这个参数。3. Client Access Token apply to the authentication server
grant_type:表示使用的授权模式,必选项,此处的值固定为"authorization_code"。
code:表示获得的授权码,必选项。
redirect_uri:表示重定向URI,必选项,且必须与上面中的该参数值保持一致。
client_id:表示客户端ID,必选项。
client_secret : 表示客户端密钥,必选项。4. The authentication server returns Access Token
access_token:表示访问令牌,必选项。
token_type:表示令牌类型,该值大小写不敏感,必选项,可以是bearer类型或mac类型。
expires_in:表示过期时间,单位为秒。如果省略该参数,必须其他方式设置过期时间。
refresh_token:表示更新令牌,用来获取下一次的访问令牌,可选项。
scope:表示权限范围,如果与客户端申请的范围一致,此项可省略。5. Obtain information to the resource server
headers.Accept : media类型,固定值 “application/json”
headers.Authorization 授权,值为返回的token_type + 空格 + access_tokendoubt
1. acquisition code, only passed clent_id, redirect_url equivalent, the service provider is how to know which user authorization?
Authorization, you are already logged service provider's website or will ask you to log on.
2. The client has authorized you to know is how?
After the authorization request is issued, the browser get is a http redirect response, the address is your redirect_url, while the return code value
3. Why do you want to set and then get code to get access_token
For security, directly by redirecting returns access_token, but HTTP 302 is unsafe, the attacker is likely to get the access_token, and the code can not access to resources, even if they are intercepted no use, client via HTTPS and key get access_token, to ensure safety.
Why not just use HTTPS redirected back to the client
Not all client support HTTPS, for versatility and security, was derived from such a code.