Scanning two-dimensional code login is now more common, such as wechat, Alipay and other PC login, and it seems that every APP supports scanning code login, do not do a scan code login is embarrassed. As a technical staff, I do not know whether you are interested in the implementation logic behind this, but I have always been curious about the implementation behind this. Recently just saw a video on the principle of scanning code login, so I sorted out this article, I hope to help you.
There are three themes in this paper:
- What is qr code?
- Token-based authentication mechanism on mobile devices.
- Working principle of qr code scanning login.
1. What is qr code
QR Code is also known as two-dimensional Bar Code, the common TWO-DIMENSIONAL Code is QR Code, QR full name Quick Response, is a super popular coding method on mobile devices in recent years, it can store more information than the traditional Bar Code, but also can represent more data types. —- is from Baidu Baike
On goods, there is usually a bar code, also known as a one-dimensional code, bar code can only represent a string of numbers. Two-dimensional code is much richer than bar code, can store numbers, strings, pictures, files, etc., for example, we can store www.baidu.com in the two-dimensional code, scan the two-dimensional code we can get the address of Baidu.
It may be difficult to understand with words, you can baidu: grass TWO-DIMENSIONAL code, a two-dimensional code generation and analysis tool, play a play you will know what two-dimensional code is.
2. Token-based authentication mechanism on mobile terminals
Before understanding the principle of code-sweep login, it is necessary to understand the token-based authentication mechanism on the mobile terminal. The token-based authentication mechanism is different from the common account and password authentication. The security factor is higher than that of the account and password. If the account and password are passed in for each authentication, the probability of being hijacked increases.
The flow chart of token-based authentication mechanism is as follows:
In the token-based authentication mechanism, you are required to enter the password only for the first time. You will not need to enter the password for subsequent use. In fact, when logging in, not only the account number and password are passed in, but also the device information of the mobile phone. After the server verifies that the account and password are correct, the server does two things.
First, associate the account with the device. In a sense, the device information represents the account.
Second, a token is generated, and the token is associated with the account and device, similar to key/value. The token serves as the key, and the account and device information serves as the value, and is persisted on the disk.
The token is returned to the mobile terminal, which stores the token locally. From then on, the mobile terminal uses the token to access the server API. In addition to the token, of course, it also needs to carry device information, because the token can be hijacked. With the device information, it doesn’t matter if the token is hijacked because the device information is unique.
This is the token-based authentication mechanism. The account password is replaced by a token and device information, thus improving security. Do not underestimate the token.
3. The principle of qr code scanning login
Ok, knowing the token-based authentication mechanism of mobile terminal, then we will enter our topic: the principle of QR code scanning login. First, the flow chart of qr code scanning login:
Scan login can be divided into three phases: to be scanned, scanned to be confirmed, and confirmed. Let’s look at each of the three stages.
1. Scanning phase
The phase to be scanned is also the phase 1-5 in the flow chart, that is, the generation of two-dimensional code stage, this stage has nothing to do with the mobile terminal, is the interaction process between the PC and the server.
First of all, the PC side carries the device information to the server side to initiate the generation of two-dimensional code request, the server side will generate a unique TWO-DIMENSIONAL code ID, you can understand as UUID, and the TWO-DIMENSIONAL code ID and PC device information associated, which is a little similar to the mobile terminal login.
After receiving the QR code ID, the PC displays the QR code ID in the form of QR code and waits for the mobile terminal to scan the code. At this point, a timer will be started on the PC to poll and query the status of the TWO-DIMENSIONAL code. If the mobile terminal is not scanned, the QR code will become invalid after a period of time.
2. Scan for confirmation
In stages 6 to 10 of the flow chart, when we log in tO wechat on the PC, the QR code on the PC will become scanned. Please confirm it on the mobile phone. This phase is the interaction between the mobile terminal and the server.
First, the mobile terminal scans the QR code to obtain the QR code ID, and then sends the login information certificate (token) and THE QR code ID as parameters to the server. At this time, the mobile phone must be logged in, and there is no case that the mobile phone is not logged in.
After the server accepts the request, it will associate the token with the QR code ID. Why is the association needed? If you think about it, when we use wechat, the mobile terminal will quit, and the PC terminal will also need to quit, this association is a bit of a lever. A one-time token is then generated, which is returned to the mobile terminal and used as a voucher for confirmation.
The timer on the PC side detects that the status of the QR code has changed and updates the QR code on the PC side as scanned. Please confirm.
3. Confirmed
Steps 11 to 15 in the flow chart are the last stage of code-scanning login. The mobile terminal carries the temporary token obtained in the previous step and confirms the login. After proofreading, the server will update the status of the TWO-DIMENSIONAL code and generate a formal token for the PC terminal. The PC then holds this token to access the server.
The TIMER on the PC side polls the QR code to be in the login state, obtains the generated token, completes the login, and completes the subsequent access based on the token.
The server maintains token and QR code, PC device information, account information, and other information, just as the mobile terminal does.
Here, two-dimensional code scan login principle is almost, two-dimensional code scan login in principle is not difficult to understand, with OAuth2.0 has a bit of similarity, but the implementation may be more complex.
I hope this article is helpful to your study or work. At the same time, I hope you can talk about your scanning code login work experience in the comments section, wish you good.
The last
At present, many big guys on the Internet have two-dimensional code scanning login principle related articles, such as the same, please forgive. The original is not easy, the code word is not easy, but also hope you support. If there are mistakes in the article, please also put forward, thank you.