This is the third day of my participation in the August Text Challenge.More challenges in August

Authorization code mode

The authorization code pattern is used to get access tokens and refresh tokens and is optimized for clients. Since this is a redirection-based process, the client must be able to interact with the resource owner’s user agent (typically a Web browser) and receive incoming requests from the authorization server (via redirection).

process

+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server |  | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access  Token -------------------' +---------+ (w/ Optional Refresh Token)Copy the code

(A) The user accesses the client, and the client directs the user to the authentication server.

The client constructs the request URI by adding the following parameters to the query part of the authorized endpoint URI in the Application/X-www-form-urlencoded format:

Parameter Description:

parameter Parameters that If required note
response_type Authorization type mandatory The value here must becode
client_id The client’sID mandatory Generated when the client applies for a licenseclient_idsometimesapp_id
redirect_uri redirectURI mandatory Entered during client registrationredirect_uri
scope Application permission scope optional
state Any value Recommendations required The authentication server will return as is, for use in the boycottCSRF(Cross-site request forgery) attack

The client uses an HTTP redirect response to direct the resource owner to the constructed URI or through any other method available via the user proxy to the URI.

GET /authorize ? The payload = code & client_id = s6BhdRkqt3 & state = xyz & redirect_uri=https://client.example.com/cb HTTP / 1.1 Host: server.example.comCopy the code

The authorization server validates the request to ensure that all required parameters are submitted and valid. If the request is valid, the authorization server authenticates the resource owner and obtains authorization decisions (either by asking the resource owner or by determining approval by other means).

When the decision is made, the authorization server uses the HTTP redirect response to direct the user agent to the provided client redirect URI, or through any other feasible means via the user proxy to that URI.

(B) Authorize the server to authenticate the user and determine whether the user authorizes the client.

(C) Assuming the user grants authorization, the authentication server directs the user to a redirect specified by the client in advanceURI(redirection URI), along with an authorization code.

The server responds to the client URI

Parameter Description:

parameter Parameters that If required note
code Authorization code mandatory Authorization code generated by the authorization server. The license code must expire soon after it is issued to reduce the risk of disclosure. The maximum recommended lifetime of an authorization code is10Minutes. The client cannot use the authorization code more than once. If an authorization code is used more than once, the authorization server must reject the request and should revoke (if possible) all tokens previously issued based on that authorization code. Authorization code with client identification and redirectionURIBinding.
state Same as step (A)state mandatory Returns the value of this parameter passed by the client as is. 
https://client.example.com/cb
?code=SplxlOBeZQQYbYS6WxSbIA
&state=xxx
Copy the code

(D) The client receives an authorization code with an earlier redirectURITo apply for a token from the authentication server. This step is done on the server in the background of the client and is not visible to the user.

Procedure: The client applies for a token from the authentication server

parameter Parameters that If required note
client_id The client’sID mandatory Generated when the client applies for a licenseclient_idsometimesapp_id
grant_type Authorization model mandatory The value here is fixedauthorization_code
code Same as step (C)code mandatory The authentication server will return as is, for use in the boycottCSRF(Cross-site request forgery) attack
redirect_uri redirectURI mandatory The value must be the same as that in step (A). 
https://www.example.com/v1/oauth/token
?client_id=CLIENT_ID
&grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=CALLBACK_URL
Copy the code

The authorization server must:

  • If client authentication is included, verifying client identity,
  • Make sure the authentication authorization code is valid
  • Make sure you giveredirect_uriparameter

(E) The authentication server checks the authorization code and redirectsURI, then send the access token to the client (access token) and renewal token (refresh token).

Data in response to step (D)

{
       "access_token":"2YotnFZFEjr1zCsicMWpAA"."token_type":"example"."expires_in":3600."refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"."example_parameter":"example_value"
 }
Copy the code
parameter Parameters that If required note
access_token The access token mandatory
token_type Token type mandatory The value is case insensitive
expires_in Expiration time, in seconds. optional If this parameter is omitted, you must set the expiration time in another way.
refresh_token Update the token optional To get the next access token
scope competence optional If the range is the same as that applied by the client, omit this item.

Usage scenarios

  • The authorization code mode is the most common authorization mode inoauth2.0The interior is the safest and most complete.
  • Applicable to all who haveServerTerminal applications, such asWebThe site,ServerTerminal mobile client.
  • Can get a longer term authorization.