This is the third day of my participation in the August Text Challenge.More challenges in August
Authorization code mode
The authorization code pattern is used to get access tokens and refresh tokens and is optimized for clients. Since this is a redirection-based process, the client must be able to interact with the resource owner’s user agent (typically a Web browser) and receive incoming requests from the authorization server (via redirection).
process
+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server | | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access Token -------------------' +---------+ (w/ Optional Refresh Token)Copy the code
(A) The user accesses the client, and the client directs the user to the authentication server.
The client constructs the request URI by adding the following parameters to the query part of the authorized endpoint URI in the Application/X-www-form-urlencoded format:
Parameter Description:
parameter | Parameters that | If required | note |
---|---|---|---|
response_type |
Authorization type | mandatory | The value here must becode |
client_id |
The client’sID |
mandatory | Generated when the client applies for a licenseclient_id sometimesapp_id |
redirect_uri |
redirectURI |
mandatory | Entered during client registrationredirect_uri |
scope |
Application permission scope | optional | |
state |
Any value | Recommendations required | The authentication server will return as is, for use in the boycottCSRF (Cross-site request forgery) attack |
The client uses an HTTP redirect response to direct the resource owner to the constructed URI or through any other method available via the user proxy to the URI.
GET /authorize ? The payload = code & client_id = s6BhdRkqt3 & state = xyz & redirect_uri=https://client.example.com/cb HTTP / 1.1 Host: server.example.comCopy the code
The authorization server validates the request to ensure that all required parameters are submitted and valid. If the request is valid, the authorization server authenticates the resource owner and obtains authorization decisions (either by asking the resource owner or by determining approval by other means).
When the decision is made, the authorization server uses the HTTP redirect response to direct the user agent to the provided client redirect URI, or through any other feasible means via the user proxy to that URI.
(B) Authorize the server to authenticate the user and determine whether the user authorizes the client.
(C) Assuming the user grants authorization, the authentication server directs the user to a redirect specified by the client in advanceURI
(redirection URI
), along with an authorization code.
The server responds to the client URI
Parameter Description:
parameter | Parameters that | If required | note |
---|---|---|---|
code |
Authorization code | mandatory | Authorization code generated by the authorization server. The license code must expire soon after it is issued to reduce the risk of disclosure. The maximum recommended lifetime of an authorization code is10 Minutes. The client cannot use the authorization code more than once. If an authorization code is used more than once, the authorization server must reject the request and should revoke (if possible) all tokens previously issued based on that authorization code. Authorization code with client identification and redirectionURI Binding. |
state |
Same as step (A)state |
mandatory | Returns the value of this parameter passed by the client as is. |
https://client.example.com/cb
?code=SplxlOBeZQQYbYS6WxSbIA
&state=xxx
Copy the code
(D) The client receives an authorization code with an earlier redirectURI
To apply for a token from the authentication server. This step is done on the server in the background of the client and is not visible to the user.
Procedure: The client applies for a token from the authentication server
parameter | Parameters that | If required | note |
---|---|---|---|
client_id |
The client’sID |
mandatory | Generated when the client applies for a licenseclient_id sometimesapp_id |
grant_type |
Authorization model | mandatory | The value here is fixedauthorization_code |
code |
Same as step (C)code |
mandatory | The authentication server will return as is, for use in the boycottCSRF (Cross-site request forgery) attack |
redirect_uri |
redirectURI |
mandatory | The value must be the same as that in step (A). |
https://www.example.com/v1/oauth/token
?client_id=CLIENT_ID
&grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=CALLBACK_URL
Copy the code
The authorization server must:
- If client authentication is included, verifying client identity,
- Make sure the authentication authorization code is valid
- Make sure you give
redirect_uri
parameter
(E) The authentication server checks the authorization code and redirectsURI
, then send the access token to the client (access token
) and renewal token (refresh token
).
Data in response to step (D)
{
"access_token":"2YotnFZFEjr1zCsicMWpAA"."token_type":"example"."expires_in":3600."refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"."example_parameter":"example_value"
}
Copy the code
parameter | Parameters that | If required | note |
---|---|---|---|
access_token |
The access token | mandatory | |
token_type |
Token type | mandatory | The value is case insensitive |
expires_in |
Expiration time, in seconds. | optional | If this parameter is omitted, you must set the expiration time in another way. |
refresh_token |
Update the token | optional | To get the next access token |
scope |
competence | optional | If the range is the same as that applied by the client, omit this item. |
Usage scenarios
- The authorization code mode is the most common authorization mode in
oauth2.0
The interior is the safest and most complete. - Applicable to all who have
Server
Terminal applications, such asWeb
The site,Server
Terminal mobile client. - Can get a longer term authorization.