This is the fifth day of my participation in the August Wen Challenge.More challenges in August
Password authorization
Password authorization is suitable for the trust relationship between the user and the client.
This mode is suitable for clients that can retrieve users (usernames and passwords, the usual form of interaction). It is also used to migrate existing clients using HTTP basic or direct authentication schemes by converting stored credentials to access tokens.
process
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
Copy the code(A) The user provides the user name and password to the client.
Once the client obtains the access token, the client must discard the username and password.
(B) The client sends the user name and password to the authentication server and requests the token from the authentication server. When a request is made, the client authenticates with the authorization server.
Parameter Description:
| parameter | Parameters that | If required | note |
|---|---|---|---|
grant_type |
Authorization type | mandatory | The value here must bepassword |
username |
The user name | mandatory | |
password |
password | mandatory | |
scope |
Application permission scope | optional |
The client uses transport layer security to make the following HTTP request:
POST/token HTTP / 1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW content-type: application/x-www-form-urlencoded grant_type=password &username=johndoe &password=A3ddj3wCopy the codeThe authorization server must:
- Requires that the client to be authenticated,
- If client authentication is included, authenticate the client and use its existing password authentication algorithm to authenticate the resource owner’s password credentials.
(C) Authorize the server to authenticate the client and verify the user’s identity. If valid, provide an access token to the client.
If the access token request is valid and authorized, the authorization server issues the access token along with an optional refresh token. If the request client authentication fails or is invalid, the authorization server returns an error response.
Successful response example:
HTTP/1.1 200 OK Content-type: Application /json; charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }Copy the codeUsage scenarios
- This pattern applies when the user has a high level of trust in the application. Such as being part of a user’s operating system.
- The authentication server should only consider using this mode if other authorization modes cannot be performed.
Pay attention to
Because this access token request uses the resource owner’s password, the authorization server must protect the endpoint from violent attacks (for example, using rate limits or generating alerts).