This article is included in personal blog: www.chengxy-nds.top, technical resources sharing, progress together

Last week, MY self-developed open source project began to break ground, “Open source Project took the first step, 10 choose 1? Page template became the first stumbling block”, plotting for a long time before putting into action, the original intention of doing this is not to let oneself too secure, technology this road does not progress is equal to retreat, must force oneself to learn.

The project is inclined to technical practice, so it will not do too much business stacking. It is better to learn business codes in the company. Currently, I am making the selection and reserve of technologies, such as the separation of the front and back end of the project, micro-service, Springboot and Springcloud, which are relatively mainstream, will be applied to the project. In fact, I am not good at many technologies, and I am also repeatedly consulting materials for verification. In the process of exploration, the technology is really improved much faster than in the work. After all, there is a fundamental difference between active and passive learning.

These days, WE plan to complete the construction of the front and back end separation architecture of the project. Since it is a front and back end separation project, authentication is inevitable, so OAuth2.0 is a knowledge point we have to understand.

What is OAuth2.0

OAuth is simply an authorization mechanism. It is an authorization layer between the client and the resource owner, used to separate the two different roles. After the resource owner agrees and issues a token to the client, the client carries the token to access the resource owner’s resources.

OAuth2.0 is a version of the OAuth protocol. If there is a 2.0 version, there is a 1.0 version. Interestingly, OAuth2.0 is not backward compatible with OAuth1.0, which is equivalent to deprecating version 1.0.

What is OAuth authorization?

At home liver article hungry set a takeaway, takeaway brother 30 seconds quickly arrived at my house downstairs, but there is access control can not enter, you can enter the password, but for security considerations I do not want to tell him the password.

At this time, the delivery boy saw that there was a high-level button “one-click access authorization” in the access control. As long as I agreed, he would get a token valid for 2 hours for normal access.

Insert a picture description here

Token and password have similar functions, but they are different. The token has the permission scope, has the validity, automatically expires, and invalid modification.

Second, OAuth2.0 authorization mode

OAuth2.0 authorization is simply a process of acquiring tokens. OAuth protocol defines four authorization grant methods for acquiring tokens as follows:

  • Authorization code (authorization-code)
  • Hidden (implicit)
  • Cryptic phone (password) :
  • Client credentials (client credentials)

However, it is worth noting that no matter which authorization method we use, we must apply for unique identifiers: client ID and client secret in the system before applying for a token in the third-party application. This ensures that the token is not used maliciously.

We will examine the principles of each of these authorization methods. Before we get to the topic, we will understand several important parameters in the OAuth2.0 authorization process:

  • response_type: code indicates that the authorization code is required to be returned. Token indicates that the token is directly returned
  • client_id: Indicates the id of the client
  • client_secret: Client key
  • redirect_uri: Redirection address
  • scope: indicates the scope of authorization.readRead-only permission,allRead and write access
  • grant_type: Means of authorization,AUTHORIZATION_CODE(Authorization Code),password(Password),client_credentials(Certificate form),refresh_tokenUpdate the token
  • state: A random number passed by an application to preventCSRFAttack.

1. Authorization code

OAuth2.0 authorization of the four authorization code is the most complex, but also the highest security factor, a more commonly used way. This approach is suitable for Web projects with both front and back ends, because some projects have only a back end or only a front end and do not apply to the authorization code pattern.

In the figure below, we take logging in to nuggets with WX as an example to look at the overall process of authorization code mode in detail.

Insert a picture description here

The user selects WX to log in to Nuggets, nuggets issues an authorization request to WX, which then asks if the user agrees to authorize (common popup authorization). “Response_type” specifies the code to return the authorization code; “scope” indicates that the authorization scope is read-only; “redirect_uri” specifies the redirection address.

https://wx.com/oauth/authorize?
  response_type=code&
  client_id=CLIENT_ID&
  redirect_uri=http://juejin.im/callback&
  scope=read
Copy the code

After the user agrees to authorize, WX redirects according to redirect_URI and carries the authorization code.

http://juejin.im/callback? code=AUTHORIZATION_CODE
Copy the code

When the nuggets get the authorization code, they apply for a token from WX with the authorization code and key. Grant_type indicates that the authorization is authorization_code. To obtain the token, the client key client_secret and the authorization code obtained in the previous step are required.

https://wx.com/oauth/token?
 client_id=CLIENT_ID&
 client_secret=CLIENT_SECRET&
 grant_type=authorization_code&
 code=AUTHORIZATION_CODE&
 redirect_uri=http://juejin.im/callback Copy the code

Finally, WX receives the request and sends JSON data to the redirect_URI address, where the access_token is the token.

 {    
  "access_token":"ACCESS_TOKEN".  "token_type":"bearer".  "expires_in":2592000.  "refresh_token":"REFRESH_TOKEN". "scope":"read"..} Copy the code

2, hidden type

As mentioned above, some Web applications do not have a back end. They are pure front-end applications and cannot use the above authorization code mode. Token application and storage need to be completed in the front end, skipping the step of authorization code.

The front-end application obtains the token directly, and the response_type is set to token, requiring the token to be returned directly, skipping the authorization code, and redirecting to the specified redirect_URI after WX authorization passes.

https://wx.com/oauth/authorize?
  response_type=token&
  client_id=CLIENT_ID&
  redirect_uri=http://juejin.im/callback&
  scope=read
Copy the code

3, password type

The password mode is easier to understand. The user directly enters his WX username and password in the nuggets, and the nuggets take the information directly to the WX to request a token. The token is returned in the JSON result of the request response. If grant_type is password, it indicates password authorization.

https://wx.com/token?
  grant_type=password&
  username=USERNAME&
  password=PASSWORD&
  client_id=CLIENT_ID
Copy the code

The disadvantages of this authorization approach are obvious and very dangerous. If this method is adopted, the application must be highly trusted.

4. Certificate form

Credential is similar to cipher, and is mainly suitable for command line applications without a front end. You can obtain the token in the simplest way and return the token in the JSON result of the request response.

Grant_type set to client_credentials indicates credential authorization, and client_id and client_secret are used to identify identities.

https://wx.com/token?
  grant_type=client_credentials&
  client_id=CLIENT_ID&
  client_secret=CLIENT_SECRET
Copy the code

3. Use and update of tokens

1. How to use the token?

Now that you have a token, you can call the WX API to request data. How to use the token?

Each request arriving at WX must carry a token, which is placed in an Authorization field in the HTTP request header.

If using Postman emulated requests, put tokens in the Authorization -> Bearer Token, note: lower versions of Postman do not have this option.

Insert a picture description here

2. What if the token expires?

Tokens are time-limited and need to be reacquired once they expire. However, going through the authorization process again is not only a hassle but also a bad user experience. How do you make updating tokens more elegant?

Generally, two tokens are issued at a time when tokens are issued, one for requesting the API and the other for updating the token refresh_token. Grant_type is refresh_token The request is for the update token, and the parameter refresh_token is the token used to update the token.

https://wx.com/oauth/token?
  grant_type=refresh_token&
  client_id=CLIENT_ID&
  client_secret=CLIENT_SECRET&
  refresh_token=REFRESH_TOKEN
Copy the code

conclusion

OAuth2.0 authorization is not very difficult, but the authorization process is slightly troublesome, some logic around, OAuth2.0 it is often asked about the interview knowledge, or should know more about it. OAuth2.0 four kinds of authorization, please look forward to, welcome to pay attention to oh ~

Original is not easy, burning hair output content, if there is a lost harvest, a praise to encourage it!

I sorted out hundreds of technical e-books and gave them to my friends. Pay attention to the public number reply [666] to get yourself. I set up a technology exchange group with some friends to discuss technology and share technical information, aiming to learn and progress together. If you are interested, please join us!