OAuth is an authorization mechanism. The owner of the data tells the system that it agrees to authorize third-party applications to access the data. The system then generates a short-term token (token) with certain permissions, which can replace the password and be used by third-party applications.
process
- Third-party clients require user authorization
- The user agrees to grant authorization
- Apply for a token from the resource server to be accessed based on authorization
- The resource server verifies user authorization and issues tokens without problem
- A third-party client uses a token to access resources
Obtaining a Token
User A requests user authorization and obtains A token to access user B’s data. You can obtain a token in the following ways:
- Authorization code
- hidden
- Cryptic phone
- Client credentials
1. The authorization code
Third-party applications apply for an authorization code, which they then use to obtain a token. This is the way most apps are today.
This applies to Web applications with a back end. Authorization codes are transmitted through the front end, tokens are stored in the back end, and all communication with the resource server is done in the back end.
In the first step, website A provides A link, and users will jump to website B after clicking, and authorize user data to website A for use. The following is A schematic link from A to B.
https://b.com/oauth/authorize?
response_type=code&
client_id=CLIENT_ID&
redirect_uri=CALLBACK_URL&
scope=read
Copy the codeThe response_type parameter indicates the request to return the authorization code, the client_id parameter indicates who is requesting the request, the redirect_uri parameter indicates the redirect url to which B accepts or rejects the request, and the scope parameter indicates the requested authorization scope (read-only).
Second, after the user jumps, website B will ask the user to log in, and then ask whether they agree to authorize website A. The user agrees, and site B jumps back to the url specified by the redirect_URI parameter. When a jump occurs, an authorization code is returned, as shown below.
https://a.com/callback?
code=AUTHORIZATION_CODE
Copy the codeThe code parameter is the authorization code
Third, after site A gets the authorization code, it can request the token from site B at the back end.
https://b.com/oauth/token?
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET&
grant_type=authorization_code&
code=AUTHORIZATION_CODE&
redirect_uri=CALLBACK_URL
Copy the codeThe client_id and client_secret parameters are used to allow B to confirm the identity of A (the client_secret parameter is secret, so only requests can be made at the back end), and the grant_type parameter is AUTHORIZATION_CODE, The code parameter is the authorization code obtained in the previous step, and the redirect_URI parameter is the callback url after the token is issued
Step 4: After B receives the request, it issues a token. You do this by sending a piece of JSON data to the url specified by redirect_URI.
{
"access_token":"ACCESS_TOKEN"."token_type":"bearer"."expires_in":2592000."refresh_token":"REFRESH_TOKEN"."scope":"read"."uid":100101."info": {... }}Copy the codeIn the JSON data above, the access_token field is the token, which website A got at the back end
2. The hidden
Omit the authorization code and issue the token directly to the front end.
Pure front-end application, no back-end. The token is stored in the front end.
3. The cryptic phone
The application applies for a token directly using the username and password
4. Client credentials
Send the request through the command line and return the token after verification.
Specific to third-party applications, not users, i.e. multiple users may share the same token.
Token used
After receiving the token, add the Authorization field to the request header each time the REQUEST API is requested
Token update
Generally, two tokens are obtained, one of which refresh token is used to update the token
https://b.com/oauth/token?
grant_type=refresh_token&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET&
refresh_token=REFRESH_TOKEN
Copy the codeThe resources
- OAuth2.0 in four ways