1. I give you the password
Liang developed a “credit card manager” program, which can automatically read credit-card related mail from the mailbox, analyze, summarize, and form a report.
Small beam find credit card person zhang big fat try out: “your credit card is so much, see me this program, assure you can love dead it.”
Zhang dabu tried a few times to say: “yi, you this program to read my NetEase mailbox ah, that needs a user name/password.”
“Yes, you tell the password input program not on the line, my program for you encryption save, guarantee won’t leak.”
“Come on, I’m not going to tell you my password. I use all my passwords to remember them. If I leak them, I’m done.”
Small beam say: “so, I don’t save, I visit mailbox of time use once, use up throw!”
“You think you are Alibaba ah, with credit endorsement, you are just a small website, I give you the password, always feel unsafe. That I trust you, can others trust you?”
Small beam think also, this is a huge psychological obstacle, everyone has to defend their password to the death.
2. Token
Led a week, small beam excitedly pull zhang big fat to see “credit card steward” upgrade version.
“Upgraded to 2.0 ah, this time do not need to ask you to NetEase email user name and password”
“How do you access my email?”
“Is very simple, I provided a new entrance, use netease to login, after you ordered, it will be redirected to the netease certification system to login, netease authentication system will allow you to enter your user name and password, and ask if you allow credit card access netease mail housekeeper, after you confirmed, is redirected to me again the stewards’ credit card ‘website, At the same time, please bring me a token. I can use this token to access NetEase email through API. I don’t have access to your username and password at all. How about that?”
“You say easy, you this credit card housekeeper is a small website, still have no what reputation, NetEase how can believe you this website?”
“Of course I have to register with NetEase first. They will send me app_id and app_secret, which I need to send when I redirect to NetEase so that NetEase will know that it is the ‘Credit Card Manager’ application that is applying for authorization.”
(Click to see larger version)
Zhang Dabu said: “You redirect to redirect, in fact, is not just to get a token?”
“Yes, because you don’t trust my credit card manager to save your password, you have to use token. It is issued by NetEase Certification Center, which actually represents your authorization for the credit card manager to access your email. Therefore, with this token, you can access your email.”
“Yes” zhang Dapang question, “why do you use Javascript to read token ah”
“So my back-end servers don’t have to participate, they do all the work on the front end. Did you notice the # in that URL? www.a.com/callback #token=< token returned by NetEase >”
“I know, this thing is called a Hash Fragment, it only stays in the browser, only Javascript can access it, and it doesn’t send HTTP requests to other servers again, I think it’s for security,” zhang said.
Xiao Liang said, “Yes, that token is very, very important and should be kept properly and not divulged!”
“But in step 6, through redirection, the token is sent to my browser in clear text. Although it is HTTPS, it can not be stolen by others, but it can be found in the browser history or access log. Isn’t that exposed?”
Small beam say: “this…. I said you this guy, very strong sense of security, let me think, is there a safer way.”
3. Authorization Code + Token
A week later, Xiao Liang successfully upgraded the credit Card Manager to 3.0.
He said to Dapang zhang, “This time I have successfully hidden the very important token of authorization. Would you like to see it?”
“How did you hide it?”
“The whole idea is similar, except THAT I introduced an intermediate layer called Authorization Code. When you log in with your NetEase account, the NetEase Authentication Center does not issue a token to me this time, but an authorization code. After my credit card manager server gets the code, I will visit the NetEase authentication Center again in the background. Only this time did he send me the real token. Go straight to the picture:”
(Click to see larger version)
“It’s relatively easy to understand,” zhang said. “Essentially, you take the returned authorization code and ‘secretly’ complete the token application process in the server background, so the token browser is not accessible at all, right?”
“What do you mean by applying for a token secretly? This is normal communication between my credit card manager server and NetEase, you just can’t see it.”
“Just kidding, although you hide the token, but the authorization code is really exposed ah, you see the seventh step, I can see in the browser, if it is accessed by anyone, can not still get the token?”
Xiao Liang said, “We definitely have defensive measures. For example, the authorization code is associated with the app_id and app_secret of my credit card manager application. Only token requests sent by the credit card manager are considered legitimate by NetEase Certification Center. You can also set a time limit for the authorization code, such as five minutes to expire, or you can only change the authorization code once and not the second time.”
“That sounds good. Well, THIS time I can use it with confidence!”
4. Afterword.
This article is about the three kinds of authentication in OAuth, in order:
1. The Resource Owner Password Credentials Grant
Implicit Grant is an Implicit Grant.
Authorization Code Grant
There are also some called Client credentials, which are used less frequently and are not covered in this article.
These names are a little odd, but they’re not that complicated in nature. There are a few more terms in OAuth that you can understand:
Resource owner: That’s what we called Zhang Dabang
Resource server: NetEase mailbox
Client: credit card manager above
Authorization server: the NetEase authentication Center mentioned above
To see the full OAuth 2.0 protocol, click here
What you see is just the tip of the iceberg. For more wonderful articles, please move to “Code farmers turn over the article essence”.
Any tips you’d like to share? Welcome to contribute! My contact information: Wechat: Liuxinlehan QQ: 3340792577
Code farmers turn
Tell a story about the nature of technology