OAuth 2.0 之 Authorization code 与 Implicit

OAuth 2.0 is an industry standard protocol for authorization. Common scenarios, such as third-party login and granting third-party applications access to personal data stored in other service providers, are OAuth 2.0 application scenarios.

OAuth 2.0 has four licensing methods:

  • Authorization code
  • Implicit
  • Resource Owner Password Credentials
  • Client Credentials

This article will talk about two of them, Authorization Code and Implicit.

The basic concept

role

OAuth defines the following four roles:

  • resource owner: The resource owner, the entity that grants access to third-party clients.
  • resource server: Resource server, a server that hosts and protects resources and responds to resource requests with access tokens.
  • client: client that requests protected resources on behalf of the resource owner and under its authority.
  • authorization server: authorizes a server that authenticates the resource owner and issues access tokens to clients under its authorization (access token).

For example, when we log in to a third-party forum using wechat:

  • resource ownerResource owners are individuals who have wechat accounts.
  • resource serverThe resource server is the server of wechat, because the resources requested here are actually the user resources hosted and protected by wechat.
  • clientThe client is this third party forum.
  • authorization serverThe authorization server is also wechat’s server, specifically the module or service specifically responsible for processing authorization.

You can see that Resource Server and Authorization Server are closely related. If the server is a single architecture, they are just different modules in the same service.

Access Token & Refresh Token

Access Token: Access Token. Owning an Access Token means that the user is authorized to Access certain resources. Due to security considerations, the Access Token is usually valid for a short time.

The Refresh Token: Refresh tokens and use refresh tokens to obtain new Access tokens. Refresh tokens generally have a longer validity period. This avoids frequent reauthorization because of expiration of access tokens.

Client Registration

For example, if we want to use wechat to log in to a third-party forum, the third-party forum must first register with wechat to show that it is a legitimate third-party client and obtain some parameters to be used in the subsequent authorization process.

Before starting the OAuth authorization process, the client must first complete the registration, which generally requires submitting the following information:

  • Declare the client type.
  • Provides the URI for client redirection.
  • Other information, such as app name, website address, description, logo, legal terms, etc.

After the client is registered, the following parameters are obtained:

  • client_id
  • client_secret

These two parameters will be used in the subsequent authorization process.

The following is a formal introduction to the whole process of Authorization code and Implicit.

Authorization code

Authorization Code Indicates the Authorization code, which is the most commonly used and has high security.

As shown in the figure above, the whole process is:

1. The client initiates an authorization request, for example:

GET /authorization?
    client_id=12345&
    redirect_uri=https://client-app.com/callback&
    response_type=code&
    scope=openid%20profile&
    state=ae13d489bd00e3c24

Host: oauth-authorization-server.com
Copy the code

The request contains the following parameters:

  • client_id: Unique value obtained by the client after registration.
  • redirect_uri: Redirection address.
  • response_type: the value ofcodeIndicates that the authorization mode is an authorization code.
  • scope: Scope to access data.
  • state: Unique value of the current session.

2. The user logs in and confirms authorization.

3. The browser redirects the client to the redirect_URI address and returns the code authorization code, for example:

GET /callback?
    code=a1b2c3d4e5f6g7h8&
    state=ae13d489bd00e3c24

Host: client-app.com
Copy the code

The state should be the same as the state that initiated the request.

The first three steps are done in the browser environment, and the next step is direct communication between the client server and the OAuth server.

4. The client initiates a request and uses code to exchange access tokens, for example:

POST /token Host: oauth-authorization-server.com... client_id=12345& client_secret=SECRET& redirect_uri=https://client-app.com/callback& grant_type=authorization_code& code=a1b2c3d4e5f6g7h8Copy the code

Request parameters:

  • client_id: Specifies the client_id obtained after the client is registered.
  • client_secret: Client_secret obtained after the client is registered.
  • redirect_uri: Client redirection address.
  • grant_type: Indicates that the authorization type isauthorization_code.
  • code: Entitlement code obtained in the previous step.

5. OAuth server generates access token and responds data, for example:

{
    "access_token": "z0y9x8w7v6u5",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "openid profile",
    ...
}
Copy the code

The response data may also include refresh tokens.

6. The client invokes the API to request resources, for example:

GET /userinfo HTTP/1.1 Host: Oauth-Shielding server.com Authorization: Bearer of Z0Y9X8W7V6U5Copy the code

7. Resource server response:

{
    "username": "username",
    "email": "[email protected]",
    ...
}
Copy the code

The above is a complete authorization code authorization and data acquisition process.

Implicit

Implicit, known as simplified or hidden mode, makes the process simpler but also less secure.

As shown in the figure above, the whole process is:

1. The client initiates an authorization request, for example:

GET /authorization?
    client_id=12345&
    redirect_uri=https://client-app.com/callback&
    response_type=token&
    scope=openid%20profile&
    state=ae13d489bd00e3c24

Host: oauth-authorization-server.com
Copy the code

The request contains the following parameters:

  • client_id: Unique value obtained by the client after registration.
  • redirect_uri: Redirection address.
  • response_type: the value oftokenIndicates that the authorization mode is simplified.
  • scope: Scope to access data.
  • state: Unique value of the current session.

2. The user logs in and confirms authorization.

3, directly generate access token and redirect to client address:

GET /callback#
    access_token=z0y9x8w7v6u5&
    token_type=Bearer&
    expires_in=5000&
    scope=openid%20profile&
    state=ae13d489bd00e3c24

Host: client-app.com
Copy the code

The redirection uses the # connection parameter instead of the Query parameter because the browser does not carry data after the # symbol when making a request to the URI, and # is also used for security reasons.

4. The client invokes the API to request resources.

5. The resource server responds.

This is the whole process of simplifying the pattern.

conclusion

This article introduces two Authorization methods, Authorization Code and Implicit, in OAuth 2.0. The former is the most common and more secure Authorization method, while the latter is more convenient but less secure.