[security] read rfc6749 and understand the authorization code mode under oauth2.0

1. Preface

OAuth 2.0 Norms come from RFC6749. I saw 《Spring Micro service practice 》 Yes OAuth 2.0 After the introduction of, I still feel that there are some translation problems . Now combine RFC6749 Let's sort it out again .

1.1. A scene ：o-stock Get wechat avatars .

• All the conclusive things come from this document .
• This paper mainly takes obtaining wechat avatar as a model , Yes Oauth2.0 Sort out and understand the knowledge points .
• Focus on authorization code authorization mode .
• borrow 《Spring Micro service practice 》 The project name o-stock （ Corresponding Oauth2.0 Medium client）

1.2. This article will not be translated in Chinese , If you need to see

• Chinese translation 1
• Chinese translation 2

2. OAuth 2.0 Authorization code mode Natural for Web Back end technology stack

RFC6749 Definition OAuth 2.0 At present, it is only established in HTTP Agreement on . And mentioned it many times user-agen It can be played by the browser , The authorization code mode is very suitable for those with independent servers Web The server .

2.1. OAuth 2.0 What problem does the authorization code mode solve ？

from o-stock Look at

• Keep new users , New customers may not want to o-stock register , But there may be an impulse to use wechat to log in .

from WeChat From the perspective of

• More developers choose wechat , Then the potential user stickiness increases , But wechat needs to be maintained authorization server and resource server Role , Quite a few io The cost of .

From the perspective of industry norms

• The server does not need the user's wechat user name 、 password , User information is more secure .
• It is a proven and reliable process , Developers don't have to build wheels again .

2.2. Key points of authorization code mode

• The WeChat authorization server It is impossible to give all o-stock Provide the function of three-party login , Then ask o-stock On wechat authorization server Registered on
• RFC6749 Regulations , Authorization code mode ,o-stock Unable to save the user's wechat password , Instead authorization server towards o-stock Issued by code.
• o-stock Need to be on wechat authorization server Hold login credentials （ Must let authorization server Know yourself ）, close code And login client login credentials , request authorization server You can get access_token
• access_token It is the final product of replacing wechat password , This token can be used in o-stock preservation ,o-stock It can be used to get the user's Avatar .

3. RFC6749 Unspecified antecedents

• o-stock Need to be on wechat authorization server To register （ipad Write on , Due to the membrane , It's sloppy ）
  

4. Take the browser as the starting point to understand the authorization activities of wechat

Pull the picture in the document , Now the user-agen As a browser

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

   Note: The lines illustrating steps (A), (B), and (C) are broken into
   two parts as they pass through the user-agent.

                     Figure 3: Authorization Code Flow

4.1. User entrusts browser , Initiate authentication to wechat GET request

Note: RFC6749 There is no specific implementation of the standard black line , However, specific requirements for red line submission parameters are specified

• The red lines can be compared with the examples given on the official website

 The authorization request ：（/authorize  It's on wechat url）
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
    Host: server.example.com

4.2. Wechat confirms identity , Entrust the browser to issue code （ Follow 4.3. Merge into a picture ）

• The browser uses redirection to tell o-stock The user's authorization request was accepted by wechat , use code It means the evidence admitted this time .

 Authorization response ：（ Wechat perceives that the user agrees to authorize , Take advantage of the browser's ability to redirect to the server code）
     HTTP/1.1 302 Found
     Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

4.3. Wechat received o-stock apply access_token Request , Issue after authentication and request entry

 Authorization token request ：
     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
     &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

Worth mentioning Authorization: Basic

Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
That is, wechat given in the first picture above token, This needs to be o-stock Store and maintain by yourself . Many materials on the Internet say that you should carry client_id and client_secret, But the code on the official website obviously does not . as a result of czZCaGRSa3F0MzpnWDFmQmF0M2JW Wechat has been able to recognize that the request is o-stock Sponsored , And the specification also describes the authorization code mode ,client If it has been certified, it may not be provided client_id , Say nothing of client_secret

 Authorization token response ：
     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
    
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

4.4. access_token Renewal

 Token renewal ：
     POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

5. Postscript

thus ,RFC6749 The authorization process of has been explained . Use access_token Go to wechat resource server You can get the avatar . The whole authorization process may not include resource server ,resource server Follow up with o-stock Dealing with .o-stock Can be stored access_token . Based on Oauth2.0 It also expands a OIDC For enhancement authentication technological process （RFC6749 Didn't explain the certification process ）, This specification can realize single sign on , here o-stock Storage OIDC Under the norm id_token It can be regarded as a better implementation , Later, I figured out my thoughts and wrote a blog record of single sign on .