This is the 15th day of my participation in the November Gwen Challenge. Check out the event details: The last Gwen Challenge 2021

Four modes of Oauth2

  1. Authorization code mode: This mode is used for common login functions on third-party platforms
  2. Simplified mode: Simplified mode does not require third-party services to participate in, directly in the browser to request a token from the authorization server, if the site is purely static pages can be used in this way
  3. Password mode: In password mode, the user tells the user name and password to the client, and the client applies for a token from the authorization server. This requires a high degree of trust in the client, such as the client and the server being the same company
  4. Client mode: The client requests authorization from the service provider in its own name instead of the user’s.

OAtuth2 consists of four different roles

  • Client: a third-party application.
  • Resource Owner: indicates the Resource Owner.
  • Authorization Server: indicates the Authorization Server
  • Resource Server: indicates the Resource Server

Authorization code mode

+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server |  | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

   Note: The lines illustrating steps (A).(B).and (C) are broken into
   two parts as they pass through the user-agent.

                     Figure 3: Authorization Code Flow
Copy the code

Datatracker.ietf.org/doc/html/rf…

  1. The user clicks the login link, and the system imports the user to the login page of the authorization server.
  2. User consent authorization
  3. The authorization server redirects the page to the address specified by redirect_URI, along with an authorization code parameter
  4. Obtain the token from the authorization server based on the authorization code and its own parameters such as client_id and grant_type redirect_URI. This step is performed in the back end and is not visible to the user
  5. After verifying the parameters, the authorization server returns the Access Token and Refresh Token

This mode is the safest of the four modes. It is used when the client is a Web server application or a third-party native App that invokes the resource server. In this mode, access_token is not exchanged through the browser or mobile App, but directly from the server, thus minimizing the risk of token leakage.