This is the third day of my participation in the August Text Challenge.More challenges in August

Authorization code mode

The authorization code pattern is used to get access tokens and refresh tokens and is optimized for clients. Since this is a redirection-based process, the client must be able to interact with the resource owner’s user agent (typically a Web browser) and receive incoming requests from the authorization server (via redirection).

process

+----------+ | Resource | | Owner | | | +----------+ ^ | (B) +----|-----+ Client Identifier +---------------+ | -+----(A)-- & Redirection URI ---->| | | User- | | Authorization | | Agent -+----(B)-- User authenticates --->| Server |  | | | | | -+----(C)-- Authorization Code ---<| | +-|----|---+ +---------------+ | | ^ v (A) (C) | | | | | | ^ v | | +---------+ | | | |>---(D)-- Authorization Code ---------' | | Client | & Redirection URI | | | | | |<---(E)----- Access  Token -------------------' +---------+ (w/ Optional Refresh Token)Copy the code

(A) The user accesses the client, and the client directs the user to the authentication server.

The client constructs the request URI by adding the following parameters to the query part of the authorized endpoint URI in the Application/X-www-form-urlencoded format:

Parameter Description:

parameter	Parameters that	If required	note
response_type	Authorization type	mandatory	The value here must becode
client_id	The client’sID	mandatory	Generated when the client applies for a licenseclient_idsometimesapp_id
redirect_uri	redirectURI	mandatory	Entered during client registrationredirect_uri
scope	Application permission scope	optional
state	Any value	Recommendations required	The authentication server will return as is, for use in the boycottCSRF(Cross-site request forgery) attack

The client uses an HTTP redirect response to direct the resource owner to the constructed URI or through any other method available via the user proxy to the URI.

GET /authorize ? The payload = code & client_id = s6BhdRkqt3 & state = xyz & redirect_uri=https://client.example.com/cb HTTP / 1.1 Host: server.example.comCopy the code

The authorization server validates the request to ensure that all required parameters are submitted and valid. If the request is valid, the authorization server authenticates the resource owner and obtains authorization decisions (either by asking the resource owner or by determining approval by other means).

When the decision is made, the authorization server uses the HTTP redirect response to direct the user agent to the provided client redirect URI, or through any other feasible means via the user proxy to that URI.

(B) Authorize the server to authenticate the user and determine whether the user authorizes the client.

(C) Assuming the user grants authorization, the authentication server directs the user to a redirect specified by the client in advanceURI(redirection URI), along with an authorization code.

The server responds to the client URI

Parameter Description:

parameter	Parameters that	If required	note
code	Authorization code	mandatory	Authorization code generated by the authorization server. The license code must expire soon after it is issued to reduce the risk of disclosure. The maximum recommended lifetime of an authorization code is10Minutes. The client cannot use the authorization code more than once. If an authorization code is used more than once, the authorization server must reject the request and should revoke (if possible) all tokens previously issued based on that authorization code. Authorization code with client identification and redirectionURIBinding.
state	Same as step (A)state	mandatory	Returns the value of this parameter passed by the client as is.

https://client.example.com/cb
?code=SplxlOBeZQQYbYS6WxSbIA
&state=xxx
Copy the code

(D) The client receives an authorization code with an earlier redirectURITo apply for a token from the authentication server. This step is done on the server in the background of the client and is not visible to the user.

Procedure: The client applies for a token from the authentication server

parameter	Parameters that	If required	note
client_id	The client’sID	mandatory	Generated when the client applies for a licenseclient_idsometimesapp_id
grant_type	Authorization model	mandatory	The value here is fixedauthorization_code
code	Same as step (C)code	mandatory	The authentication server will return as is, for use in the boycottCSRF(Cross-site request forgery) attack
redirect_uri	redirectURI	mandatory	The value must be the same as that in step (A).

https://www.example.com/v1/oauth/token
?client_id=CLIENT_ID
&grant_type=authorization_code
&code=AUTHORIZATION_CODE
&redirect_uri=CALLBACK_URL
Copy the code

The authorization server must:

• If client authentication is included, verifying client identity,
• Make sure the authentication authorization code is valid
• Make sure you giveredirect_uriparameter

(E) The authentication server checks the authorization code and redirectsURI, then send the access token to the client (access token) and renewal token (refresh token).

Data in response to step (D)

{
       "access_token":"2YotnFZFEjr1zCsicMWpAA"."token_type":"example"."expires_in":3600."refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"."example_parameter":"example_value"
 }
Copy the code

parameter	Parameters that	If required	note
access_token	The access token	mandatory
token_type	Token type	mandatory	The value is case insensitive
expires_in	Expiration time, in seconds.	optional	If this parameter is omitted, you must set the expiration time in another way.
refresh_token	Update the token	optional	To get the next access token
scope	competence	optional	If the range is the same as that applied by the client, omit this item.

Usage scenarios

• The authorization code mode is the most common authorization mode inoauth2.0The interior is the safest and most complete.
• Applicable to all who haveServerTerminal applications, such asWebThe site,ServerTerminal mobile client.
• Can get a longer term authorization.