Hello, EVERYONE, I’m Orange chang, and earlier we brought the first “Open the OAuth 2.0 license” interpretation.

Today we continue our interpretation of “Licensing Agreements in OAuth 2.0”.

First, OAuth history

OAuth 2.0 is an OAuth 2.0 protocol.

Naturally, there are, most of the previous applications are Web end, OAuth 1.0 era of licensing type, it wants to use a set of protocols to deal with various business scenarios.

With the continuous development of IT business, mobile terminal, Web terminal and other diversified scenarios, OAuth 1.0 protocol can not cope with, and there are solidification attacks and other security problems, so OAuth 2.0 came into being.

Understanding how a technology has evolved in the past can help determine where it will go in the future. This is insight thinking, not intuition.

Two, four kinds of licensing agreements

OAuth 2.0 officially provides four kinds of authorization protocols, as shown in the figure.

Authorization code licensing mechanism is the most complete, the most secure one, when we master the most difficult one, naturally speaking to master the other several will quickly start.

1. Resource owner licensing mechanism

In simple terms, it is actually the account name and password. The account name and password are used to exchange credentials, and then the credentials are used to access the business interface.

2. Implicit licensing

This is one of the most insecure licensing mechanisms in OAuth 2.0.

The meaning of existence is aimed at APP application architecture without Server.

The static page of APP shows a series of third-party entrances. The front end directly uses the client configuration to exchange credentials, which is quite unsafe.

3. Client credential licensing mechanism

A protected resource has no clear owner.

For example, the logo of Taobao can be exchanged for credentials by the third-party software in the form of “unique logo + key”.

4. Authorization code licensing mechanism

All four roles exist. The introduction of the concept of authorization code to do the transfer and exchange credentials by authorization code is the safest and most complete approach in OAuth 2.0.

Iii. Wechat Authorization Description Authorization code licensing mechanism

Next, orange with a simplified version of the process explained “wechat authorization code licensing mechanism” :

Step 1: wechat users access third-party software, and the third-party software requests wechat authorization services to obtain authorization links

Step 2: The third party software takes the license link and redirects the user to the license page for the first time

Step 3: The user clicks to confirm authorization, and the authorization service issues the authorization code and calls back the third-party software (second redirection)

Step 4: The third party software obtains the authorization code and the relevant issued configuration to exchange the credentials

Step 5: The authorization service issues the credentials, and the third-party software gets the credentials to access the protected resource and get the data

Four,

Today, Orange took you to analyze the development history of OAuth and licensing types, just need to remember two points:

1. Paying attention to the history of a technology helps develop insightful thinking

2, OAuth 2.0 has four kinds of authorization protocols: client credential licensing mechanism, implicit licensing mechanism, resource owner licensing mechanism, licensing code licensing mechanism, especially the licensing code licensing mechanism must be mastered. *

The next article will bring you the interpretation of “token mechanism in OAuth 2.0”, thank you for your attention, you can find me on the home page, if you think there is some benefit, welcome to like, forward, comment, thank you for recognition!