sequence
This paper mainly summarizes the characteristics and application scenarios of the four modes of OAUTH2.
Four authorization methods
OAuth 2.0 defines four types of authorization.
- Password mode (Resource owner Password Credentials)
- Authorization Code
- Simplified patterns (Implicit)
- Client credentials
Password mode (Resource owner Password Credentials)
- This mode is least recommended because the client may store the user password
- This pattern is mainly used to adapt legacy projects to oAUTH2 upgrades
- Of course, if the client is their own application, also can
- To support the refresh token
Authorization Code
- This mode is considered authentic oAuth2 authorization mode
- An Auth code is designed to obtain tokens through this code
- To support the refresh token
Simplified patterns (Implicit)
- This mode has fewer code links than the authorization code mode, and the callback URL directly carries the token
- The usage scenario of this pattern is browser-based applications
- In this mode, you are advised to shorten the token validity period for security purposes
- Refresh Token is not supported
Client credentials
- In this mode, you can obtain the token based on the ID and key of the client without user involvement
- This pattern is suitable for consuming back-end services of the API, such as pulling a set of user information
- Refresh Token is not supported, mainly because it is unnecessary
The original intention of the refresh token is mainly for user experience, so that users do not want to enter the account password repeatedly to exchange for a new token. Therefore, the refresh token is designed to exchange for a new token. Since there is no user participation and no user account password is required, You can exchange a new token based only on your ID and key, so there is no need to refresh the token
summary
- Password mode (Resource Owner password Credentials)
Design for legacy systems
) (To support the refresh token
) - Authorization Code (
The real way
) (To support the refresh token
) - Implicit patterns (implicit)
Designed for Web browser applications
) (Refresh Token is not supported
) - The Client credentials (
Design for backend API service consumers
) (Refresh Token is not supported
)