当前位置:网站首页>How to verify accesstoken in oauth2 protocol
How to verify accesstoken in oauth2 protocol
2022-07-07 03:00:00 【Misty jam】
Hello everyone , I am ethereal . Let's talk today oauth2.0 Of accesstoken Check logic .
summary
This article is from golfers Never Sett*
The question of
Finish this problem , I feel that readers are interested in accesstoken The verification logic of is not clear , So I specially wrote this article to explain .
First we need to know Oauth2 It's a licensing agreement , Before the client accesses a protected resource , You need to get through the authentication server first accesstoken, Then by putting accesstoken Access resource server .
secondly ,Oauth2 There are two kinds of tokens issued by the authentication server : Opaque token (opaque tokens) and Transparent token (not opaque tokens) To put it bluntly, it is uuid and jwt The difference between .
Okay , Now comes the question , On the client side accesstoken Access resource server , How does the resource server know about you accesstoken It's legal ?
When you get the token is uuid when , The resource server cannot judge the validity of your token by itself .
At this time, there are generally two kinds of verification logic :
Remote verification
The authorization server exposes an endpoint , For valid tokens , It returns the permissions previously granted by the user who issued the token , This port is called check_token Endpoint ( In many places, it is also called token introspection endpoint ). We can Directly use the default interface provided by the authentication server /oauth/check_toen You can also customize an interface .
The resource server calls for each request check_token Endpoint , such , It will validate the token received from the client , And get the permission granted to the client . The resource server can be accessed through yaml Middle configuration security.oauth2.resource.user-info-uri Specify the authentication server check_token Endpoint address .
Blackboard mode
Resource servers and authorization servers use shared storage , Common ones are database and redis.
Authorization server generates accesstoken Then it will be persisted and stored , In this way, the resource server can also verify by accessing this shared storage accesstoken The effectiveness of the .
JWT
If the authentication server issues you jwt, At this time, the client will bring jwt Access resource server , The resource server can resolve the token directly , No need to call the authentication server . But you need to pay attention to the use of jwt Be sure to configure the key , Asymmetric keys are recommended for production environments .
Summary
oauth2 in accesstoken The verification logic is basically the above three
Call the authorization server directly
Use shared database ( Blackboard mode )
Use it directly JWT, Resource server self verification
Now in actual development, it is used in most cases jwt, This can reduce the interactive requests between the resource server and the authentication server , Improve access efficiency .
Of course , If you are right about oauth2 The agreement is not well understood , I recommend you to watch a short video I recorded before , It has a detailed description of .
边栏推荐
- A complete tutorial for getting started with redis: problem location and optimization
- Remember the problem analysis of oom caused by a Jap query
- The panel floating with the mouse in unity can adapt to the size of text content
- How to find file accessed / created just feed minutes ago
- MySQL is an optimization artifact to improve the efficiency of massive data query
- Redis入门完整教程:AOF持久化
- 服装企业部署MES管理系统的五个原因
- A complete tutorial for getting started with redis: RDB persistence
- Matlb| economic scheduling with energy storage, opportunity constraints and robust optimization
- Unity custom webgl packaging template
猜你喜欢
NuScenes数据集关于Radar数据的统计
What are the characteristics of the operation and maintenance management system
电气工程及其自动化
uniapp适配问题
Redis入门完整教程:问题定位与优化
Error: could not find a version that satisfies the requirement xxxxx (from versions: none) solutions
HAVE FUN | “飞船计划”活动最新进展
2022 spring recruitment begins, and a collection of 10000 word interview questions will help you
导数、偏导数、方向导数
Matlb| economic scheduling with energy storage, opportunity constraints and robust optimization
随机推荐
Dotconnect for DB2 Data Provider
简单冒泡排序
Use of promise in ES6
INS/GPS组合导航类型简介
代码调试core-踩内存
QPushButton-》函数精解
哈希表及完整注释
【Socket】①Socket技术概述
Oauth2协议中如何对accessToken进行校验
A complete tutorial for getting started with redis: AOF persistence
新标杆!智慧化社会治理
fasterxml ToStringSerializerBase报错
Es6中Promise的使用
Summary of basic debugging steps of S120 driver
LeetCode 77:组合
Redis入门完整教程:客户端案例分析
uniapp适配问题
商城商品的知识图谱构建
Leetcode 77: combination
Redis入门完整教程:复制原理