How to verify accesstoken in oauth2 protocol

Hello everyone , I am ethereal . Let's talk today oauth2.0 Of accesstoken Check logic .

summary

This article is from golfers Never Sett* The question of

Finish this problem , I feel that readers are interested in accesstoken The verification logic of is not clear , So I specially wrote this article to explain .

First we need to know Oauth2 It's a licensing agreement , Before the client accesses a protected resource , You need to get through the authentication server first accesstoken, Then by putting accesstoken Access resource server .

secondly ,Oauth2 There are two kinds of tokens issued by the authentication server ： Opaque token （opaque tokens） and Transparent token （not opaque tokens） To put it bluntly, it is uuid and jwt The difference between .

Okay , Now comes the question , On the client side accesstoken Access resource server , How does the resource server know about you accesstoken It's legal ？

When you get the token is uuid when , The resource server cannot judge the validity of your token by itself .

At this time, there are generally two kinds of verification logic ：

Remote verification

1. The authorization server exposes an endpoint , For valid tokens , It returns the permissions previously granted by the user who issued the token , This port is called check_token Endpoint （ In many places, it is also called token introspection endpoint ）. We can Directly use the default interface provided by the authentication server /oauth/check_toen You can also customize an interface .

2. The resource server calls for each request check_token Endpoint , such , It will validate the token received from the client , And get the permission granted to the client . The resource server can be accessed through yaml Middle configuration security.oauth2.resource.user-info-uri Specify the authentication server check_token Endpoint address .

Blackboard mode

Resource servers and authorization servers use shared storage , Common ones are database and redis.

Authorization server generates accesstoken Then it will be persisted and stored , In this way, the resource server can also verify by accessing this shared storage accesstoken The effectiveness of the .

JWT

If the authentication server issues you jwt, At this time, the client will bring jwt Access resource server , The resource server can resolve the token directly , No need to call the authentication server . But you need to pay attention to the use of jwt Be sure to configure the key , Asymmetric keys are recommended for production environments .

Summary

oauth2 in accesstoken The verification logic is basically the above three

• Call the authorization server directly

• Use shared database （ Blackboard mode ）

• Use it directly JWT, Resource server self verification

Now in actual development, it is used in most cases jwt, This can reduce the interactive requests between the resource server and the authentication server , Improve access efficiency .

Of course , If you are right about oauth2 The agreement is not well understood , I recommend you to watch a short video I recorded before , It has a detailed description of .