About OAuth2 I believe many beginners have some questions , Brother Pang collected these questions one by one and made them QA, May help learners .
OAuth2 dependent QA
Q:OAuth2 Some common scenarios ?
A:OAuth2 It is mainly used for API to grant authorization , It's a cross API Solutions for authorization between services . It applies to single sign on (SSO)、 Authorization authentication between microservices 、API Open platform and other scenarios .
Q: What is? OAuth2 client ?
A: stay OAuth2 Register as a client on the authorization server , And get exclusive client_id What is marked is OAuth2 client . Android APP 、IOS application 、Web Front end and other client applications should also follow this principle , They themselves are registered to OAuth2 Only authorized servers can become OAuth2 client , Otherwise it's not OAuth2 client , They have to be themselves , Instead of the back-end services that support them .
Q:OAuth2 Why is the client divided into public and confidential Two types of , What are the scenes ?
A:rfc6749#section-2.1 according to OAuth2 Whether the client itself has the ability to maintain the client credentials (client credentials) The privacy of , Whether the client's qualification can be authenticated safely through the authorization server will OAuth2 The client is divided into Confidential client and Public client . Most back-end data services should be registered as Confidential client ; Those who cannot guarantee the security of their own credentials should be registered as Public client , Public client It's not client_sercet Of , Register directly to OAuth2 The execution client of the authorization server , Access token relay is not performed through back-end applications Public client , For example, in some specific scenarios, you need to directly connect to the authorization server Web application 、 Mobile application .
Q:OAuth2 Of
access_tokenandrefresh_tokenShould I return directly to the front end ?
A: Whether it can be returned to the front end depends on whether the front end is directly in the authorization server OAuth2 client , If not , You can't hold access_token and refresh_token,access_token and refresh_token The issuing target of can only be OAuth2 client . If the exposed surface is released , It is easy to be stolen .
Q: Not OAuth2 Since the client application of the client cannot be directly held
access_tokenandrefresh_tokenWords , How to get authorization status ?
A: When authorization is successful , The token and the user client side can use session perhaps cookie Make a map , Of course, you can also consider calculating an opaque token ( Opaque Token ) mapping , Specific business considerations .
Q:OAuth2 Medium
scopeWhat is it? ?
A:OAuth2 It's an authorization framework , Authorization naturally requires delimitation of a scope (scope), In order to make sure OAuth2 The client acts within a given range without crossing the line . It plays a role and RBAC Medium role In fact, it's similar to , Are used to restrict access to resources . role For resource owners (Resource Owner), and scope Aiming at OAuth2 client . There is, of course, one exception openid, This is OIDC 1.0 The logo of , Calculate a keyword .
Q:OAuth2 Can the login page and authorization confirmation page in be separated from the front end and the back end ?
A: Many developers don't want to be licensed when clicking on the license 302 Redirect to the login page provided by the authorization server , But you have to understand one thing , OAuth2 There is not a full trust relationship between the client and the authorization server . I'll give you some takeout , You must want to give him a temporary access code , Instead of a common access code . in addition ajax Cannot safely handle OAuth2 In the authorization process 302 Redirection problem , This is also a technical problem .
**Q:OAuth2 ** Whether the client can do user authentication ?
A:OAuth2 It doesn't define how a user can send a message to OAuth2 Client authentication identity , This should be distinguished from the user authentication on the authorization server .OAuth2 When the client completes the authorization, it can get the authorization credentials , But you can't get the user information directly , If the authorization server provides a resource interface for obtaining user information ,OAuth2 The client can try to obtain user information through this interface to indicate the user's identity , It depends on whether the user has authorized OAuth2 Clients do this .OIDC 1.0 Supplementary definitions OAuth2 The client authenticates the user .
Q:OAuth2 What is client authentication ?
A:confidential Type of OAuth2 Although the client is OAuth2 License server registration , They are based on some strategy (Client Authentication Method) To prove to the authorization server that it is a legitimate client . So they can call some OAuth2 Specified endpoint , such as /oauth2/token Token endpoint 、/oauth2/revoke Token revocation endpoint, etc . About OAuth2 For details of client authentication, please refer to OAuth2 Client authentication filter details .
Q:OAuth2 Why was the password mode abolished ?
A: To be exact, the current password mode is OAuth2.1 Has been removed from , Include OAuth0、okta And other well-known three-party authorized service organizations have removed the password mode .
When password mode was born , image React、Vue This single page application has not yet sprung up , Not even a framework yet . It is more like a transitional solution to solve the remaining problems . In traditional applications , Users are used to giving the password directly to the client in exchange for resource access , Instead of jumping around and pulling Authorization 、 Confirm Authorization .OAuth2 At the time of its birth, this model was designed to make users slowly change from traditional thinking . It breaks the pattern of delegation , To reduce the OAuth2 The security of .
For more details, please refer to my previous Related articles .
Q:OAuth2 How to describe the resource server in ?
A: As long as it includes the need OAuth2 The client carries access_token The server accessing the resource interface can be regarded as a resource server , Include OAuth2 client 、OAuth2 The authorization server can assume the functions of the resource server according to the business and architecture . From user ( Resource owner ) perspective , The servers that store resource interfaces that users can authorize can be resource servers . The resource server can access the token access_token decode 、 check , And determine whether this request is compliant .
Q: Can microservices not be used OAuth2?
Certainly. ,OAuth2 It is just one of the current solutions for microservice access control , Not the only option .
summary
These are some of the questions that fat brother has been asked recently , I believe I can help you .OAuth2 Things are not simple , After nearly three years of intermittent learning , Fat brother completely understands this thing , So don't worry, all learners , When learning is boring, let it dry for a while , The most important thing to learn this is to understand its concept and process , This is far more important than various frameworks ,OAuth2 It has nothing to do with language .
Official account :Felordcn Get more information
Personal blog :https://felord.cn
OAuth2 Some high-frequency problems in learning QA More articles about
- OAuth2 Learning and DotNetOpenAuth Part of the source code research
OAuth2 Learning and DotNetOpenAuth Part of the source code research In the last article I studied OpenId And DotNetOpenAuth Related applications of , This one continues to study OAuth2. One . What is? OAuth2 OAuth yes ...
- The role of convolution in deep learning ( from http://timdettmers.com/2015/03/26/convolution-deep-learning/)
Convolution is probably the most important concept in deep learning . Convolutional networks and convolutional networks push deep learning to the forefront of almost all machine learning tasks . however , Convolution is so powerful ? How it works ? In this blog post , I'll explain convolution and relate it to other concepts , To help ...
- PYTHON replace MATLAB Application in learning linear algebra ( Use Python auxiliary MIT 18.06 Linear Algebra Study )
Preface MATLAB It has always been a necessary artifact for science and engineering students , But with the escalation of Sino US trade conflicts , The cloud of prohibition and prohibition also continues to hang over the top of colleges and universities . Maybe we should all consider more ways , To assist our study and research . although PYTHON And others ...
- Record Python A few small problems in learning
Record Python A few small problems in learning , and C#\JAVA My habits are different . 1.Django Compare two values in the template to see if they are equal Wrong way <option value="{{group.id}}&q ...
- In depth learning Data Augmentation Method ( turn ) be based on keras
In deep learning , When the amount of data is not large enough , The following is often used 4 Medium method : 1. Manually increase the size of the training set . By translating , Flip , Add noise and other methods to create a batch of... From the existing data " new " The data of . That is to say Data Augm ...
- Java Print pyramid or Print pyramids with numbers (Java Small records in learning )
Java Print pyramid or Print pyramids with numbers (Java Small records in learning ) author : Wang Keli (Star· The stars ) design sketch : The code is as follows : class Star8 { public static void m ...
- Java Need to remember 、 Know the key words (Java Small records in learning )
Java Need to remember . Know the key words (Java Small records in learning ) author : Wang Keli (Star· The stars ) summary : This essay , Just use it to look through your memory at ordinary times
- Java I am learning , Common command management (Java Small records in learning )
Java I am learning , Common command management author : Wang Keli (Star· The stars ) One .Window Common in dos command Where to operate dos command : Win7 ---> Start ----> All the procedures ---& ...
- Java The use of some words and sentences in basic learning
stay Java In basic learning , We just got in touch with Java Some words and sentences will not be used clearly , I can't clearly understand how it works , Such as :break,continue Running effect and jump position in the program , 1. First look at it. brea ...
- of JAVA Set discussion in basic learning
Nice to meet you here , I am also a learner who has just come into contact with back-end development , I believe many friends will encounter many headache problems in their study , I hope we can all share the problems , Sort out your own learning ideas , Let's discuss and grow together . Today I ...
Random recommendation
- original C++ Constant of ( One )
1 summary One C++ A program is a collection of data and operations . When one C++ When the program starts running , The data related to the program will be loaded into memory . When data is associated with memory , These data will have the following characteristics : Address of data in memory . this ...
- AX 2012 Two kinds of lookup How to display
The first one is : You can only select one lookup: Code : public void BusinessUnitLookup(FormStringControl _formstrcontroll) { //OMOperat ...
- Oracle Database interview questions 【 Reprint 】
1. Oracle Follow SQL Server 2005 The difference between ? On the macro : 1). The biggest difference is the platform ,oracle It can run on different platforms ,sql server It can only run on windows On the platform , because windo ...
- [LeetCode] Additive Number
Af first I read the title as "Addictive Number". Anyway, this problem can be solved elegan ...
- parse,tryparse difference
Convert.ToInt32.int.Parse(Int32.Parse).int.TryParse.(int) All four can be interpreted as converting a type to int, What's the difference between them ? Convert.ToI ...
- How to set up BIOS So that the server can start automatically when it is powered off
Different motherboards and CMOS The options corresponding to the model will vary , But I don't think it's too bad , Be in commonly [POWER MANAGEMENT SETUP] and [Integrated Peripherals] Of these two options . Here are two ...
- use python Decorator print log
# coding=utf-8 from time import time def logged(when): def log(f,*args,**kargs): prin ...
- FTP File transfer
FTP Project operation requirements :1. User encryption authentication 2. Allow multiple users to log in at the same time 3. Each user has his own home directory , You can only access your home directory 4. Disk quota for users , Each user's free space is different 5. Allow users to ftp server Switch the target randomly ...
- EF An entity object cannot have more than one IEntityChangeTracker Instance reference terms of settlement
stay DAL Layer , Set up factory class namespace DAL { public static class SysDbContextFactory { /// <summary> /// from Http ...
- JavaScript Learning summary ( 6、 ... and )——JavaScript Determine the type of data summary
Recently, I encountered some problems about javascript Judgment and processing of data type , I looked for some information on the Internet , And personally verified the judgment of various data types , Here is a summary ! One .JS Data types in 1. Numerical type (Number): Include integers . floating ...
