Brief introduction
The client must be authorized users (authorization grant), to get the token (access token). OAuth 2.0 Authorization defines four.
Authorization code pattern (authorization code)
simplified model (Implicit)
Cipher Mode (resource owner password credentials)
Client mode (client credentials)
Authorization Code mode
Authorization Code mode
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)(A) the user access to the client, which will guide the former authentication server.
(B) the user to select whether to grant the client authorization.
(C) assuming that the user authorization is granted, the user authentication server will guide the client designated in advance "redirection URI" (redirection URI), while accompanied by an authorization code.
(D) the client receives an authorization code, attach the earlier "redirect URI", to the authentication server application token. This step is done on the background of the client server, invisible to the user.
(E) authentication server to check the authorization code and redirect URI, after confirmation, the access token is sent to the client (access token) and update the token (refresh token).
Here are the steps of the above parameters required.
Step A, the URI of the authentication client application, comprising the following parameters:
response_type: represents the type of license, mandatory, fixed value here is "code"
client_id: indicates that the client's ID, Required
redirect_uri: Redirects URI, optional
scope: represent the purview of application, optional
state: represents the client the current state of the terminal, any value can be specified, the authentication server returns the value unchanged.
Below is an example.
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https://client.example.com/cb HTTP/1.1
&redirect_uri=https://client.example.com/cb HTTP/1.1
Host: server.example.comStep C, the server responds with the client URI, contains the following parameters:
code: express authorization code Required. Validity of the code should be very short, usually set for 10 minutes, the client can only use the code once, otherwise it will be refused authorization server. The ID code and the client redirection URI, a one to one relationship.
state: If the client's response to the request contained in this parameter, the authentication server must contain exactly the same as this parameter.
Below is an example.
HTTP/1.1 302 Found
Location: [https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA]
&state=xyzStep D, the client application to the server authentication token HTTP request contains the following parameters:
grant_type: represents the licensing model used, mandatory, fixed value here is "authorization_code".
code: Authorization Code represents the step of obtaining, necessary option.
redirect_uri: represents the URI redirection, mandatory, and must be consistent with the parameter values A step.
client_id: indicates that the client ID, Required.
Below is an example.
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https://client.example.com/cbIn step E, HTTP server sends the authentication response comprising the following parameters:
access_token: access token representation, Required.
token_type: represents a token type, the value is case-insensitive, mandatory, or may be a type mac bearer type.
expires_in: represents the expiration time, in seconds. If omitted, other means must set an expiration time.
refresh_token: indicates that the update token is used to get the next access token options.
scope: express jurisdiction, consistent with the scope if the client application, this can be omitted.
Below is an example.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}