What is OAuth2?
OAuth is an authorization process used to facilitate user login. Its advantage is that we do not need to expose our user name and password to the third party platform, but use the authorization server to issue short-term tokens and validate tokens to open part of resources to the third party platform
OAuth is an authorization protocol, not an authentication protocol
Authorization mode of OAuth2
Authorization Mode 1: Authorization code (most secure and used)
This is suitable for back-end platforms
There exists such a resource (QQ avatar) and the resource owner (QQ id master), now drink me (assuming the platform needs authorization) need to obtain QQ avatar.
So here’s the step
- Send it to the authorization server
Obtain the Access Token request
- Authorization Server Discovery
Get the access token
Verify that the server is in the authorization service list after the request and send the resource owner whether to approve the authorization request - The resource owner approves the authorization request, and the authorization server issues the token to drink
- After obtaining the access token, apply for the resource permission to the resource server and bring the token for the resource server to authorize the effect. After the effect is completed, the QQ avatar (resources) will be issued to the user
In terms of actual experience
- The user agrees to authorize the server to generate tokens
Drink yao think of QQ authorization, so a combination of QQ website access
Koukou.com/oauth/autho…
Here are a few parameters that the platform developer needs to provide: Response_type ==> specifies the request to return the authorization code (client_id ==>) to let the QQ platform know who is accessing the authorization server (this requires going to the QQ developer platform). Heleme.com/callback?co… The url has been written in controller, and the parameter must be the same as the official URL provided by QQ. Scope ==> indicates authorization, such as read-only or read-write
After opening the above website, the QQ platform will be opened to require scanning code login (here is whether the user agrees to the authorization steps). If the scan code is successfully authorized to login, the url filled in by the parameter redirect_uri will be used, but the value of parameter code AUTHORIZATION_CODE will be rewritten by THE QQ platform into the code generated by the QQ authorization server (this code is the authorization code) assuming that the authorization code obtained here is 123456
The function of the authorization code is to let QQ users agree to the authorization server to generate the token request
- After obtaining the authorization code, go to the authorization server again with the authorization code to get the token
Koukou.com/oauth/token…
Client_id ==> Client ID client_secret ==> This parameter can be obtained by QQ development platform, mainly used for QQ to identify the user has drunk grant_type ==> fixed authorization_code, 123456 redirect_uri ==> Redirects to the url where the token is obtained from the controller. Parameters must be the same as QQ official website)
When the task of obtaining the token is complete, it automatically redirects to the url and sends JSON data to the url where the token is stored
{
"access_token":"ACCESS_TOKEN"."token_type":"bearer"."expires_in":2592000."refresh_token":"REFRESH_TOKEN"."scope":"read"."uid":100101."info": {... }}Copy the code
Then we get the ACCESS_TOKEN, and we can use this token to complete the tasks we need
Authorization mode Second: Simplified mode
The simplified mode is mainly used for token authorization between the front end and the front end. This mode has no back end
Or the relationship between Drink me and QQ, drink me need to use QQ account for authorization
Koukou.com/oauth/autho…
Parameter 1: response_type Usually enter token
Parameter 2: client_id is usually obtained by the development platform
Parameter 3: redirect_URI is mainly the redirection address. If the QQ platform completes authorization, it will redirect to the redirection URL provided by The QQ platform. Moreover, the QQ platform will modify the parameters of the redirection address and add token into the parameters
Parameter 4: scope Permission that token has. Read-only Write or read
Heleme.com/callback#to…
This is the redirect_uri address, parameter token=ACCESS_TOKEN, here ACCESS_TOKEN is provided by QQ platform
At this point, we can obtain the access_token in the Controller in Java. We can store the access_token for future operations
Authorization mode 3: Password mode
This mode is suitable for internal use in the company because the user name and password need to be exposed
In this mode, the resource owner directly gives the user name and password to the client. The client uses the user name and password to log in to the authorization server, which verifies and returns the Access token to the client
This pattern is typically used within an enterprise
Authorization mode 4: Client mode
The client sends the authentication information to the authorization server, which returns the Access Token
Typically used in machine-to-machine relationships, there is no resource owner role
The refresh token
Refreshing the token is mainly to facilitate the authorization process. After obtaining authorization, the client returns the Access token and brings the refresh token to the client. The client can bring the Access token to obtain data next time, but one day the Access token is invalid. In normal mode, you need to go through the authorization process again. However, if the refresh token exists, the client only needs to send its refresh token to the authorization server. The authorization server skips the authorization process and directly sends a new Access token to the client
Selection of the request
Composition of the authorization server
The authorization server consists of four endpoints
- Authorize the endpoint
- Token issuing endpoint
- Verify the endpoint
- Withdraw the endpoint