QA of some high frequency problems in oauth2 learning

About OAuth2 I believe many beginners have some questions , Brother Pang collected these questions one by one and made them QA, May help learners .

OAuth2 dependent QA

Q：OAuth2 Some common scenarios ？

A：OAuth2 It is mainly used for API to grant authorization , It's a cross API Solutions for authorization between services . It applies to single sign on （SSO）、 Authorization authentication between microservices 、API Open platform and other scenarios .

Q： What is? OAuth2 client ？

A： stay OAuth2 Register as a client on the authorization server , And get exclusive client_id What is marked is OAuth2 client . Android APP 、IOS application 、Web Front end and other client applications should also follow this principle , They themselves are registered to OAuth2 Only authorized servers can become OAuth2 client , Otherwise it's not OAuth2 client , They have to be themselves , Instead of the back-end services that support them .

Q：OAuth2 Why is the client divided into public and confidential Two types of , What are the scenes ？

A：rfc6749#section-2.1 according to OAuth2 Whether the client itself has the ability to maintain the client credentials （client credentials） The privacy of , Whether the client's qualification can be authenticated safely through the authorization server will OAuth2 The client is divided into Confidential client and Public client . Most back-end data services should be registered as Confidential client ; Those who cannot guarantee the security of their own credentials should be registered as Public client , Public client It's not client_sercet Of , Register directly to OAuth2 The execution client of the authorization server , Access token relay is not performed through back-end applications Public client , For example, in some specific scenarios, you need to directly connect to the authorization server Web application 、 Mobile application .

Q：OAuth2 Of access_token and refresh_token Should I return directly to the front end ？

A： Whether it can be returned to the front end depends on whether the front end is directly in the authorization server OAuth2 client , If not , You can't hold access_token and refresh_token,access_token and refresh_token The issuing target of can only be OAuth2 client . If the exposed surface is released , It is easy to be stolen .

**Q：** Not OAuth2 Since the client application of the client cannot be directly held access_token and refresh_token Words , How to get authorization status ？

A： When authorization is successful , The token and the user client side can use session perhaps cookie Make a map , Of course, you can also consider calculating an opaque token （ Opaque Token ） mapping , Specific business considerations .

Q：OAuth2 Medium scope What is it? ？

A：OAuth2 It's an authorization framework , Authorization naturally requires delimitation of a scope （scope）, In order to make sure OAuth2 The client acts within a given range without crossing the line . It plays a role and RBAC Medium role In fact, it's similar to , Are used to restrict access to resources . role For resource owners （Resource Owner）, and scope Aiming at OAuth2 client . There is, of course, one exception openid, This is OIDC 1.0 The logo of , Calculate a keyword .

Q：OAuth2 Can the login page and authorization confirmation page in be separated from the front end and the back end ？

A： Many developers don't want to be licensed when clicking on the license 302 Redirect to the login page provided by the authorization server , But you have to understand one thing , OAuth2 There is not a full trust relationship between the client and the authorization server . I'll give you some takeout , You must want to give him a temporary access code , Instead of a common access code . in addition ajax Cannot safely handle OAuth2 In the authorization process 302 Redirection problem , This is also a technical problem .

**Q：OAuth2 ** Whether the client can do user authentication ？

A：OAuth2 It doesn't define how a user can send a message to OAuth2 Client authentication identity , This should be distinguished from the user authentication on the authorization server .OAuth2 When the client completes the authorization, it can get the authorization credentials , But you can't get the user information directly , If the authorization server provides a resource interface for obtaining user information ,OAuth2 The client can try to obtain user information through this interface to indicate the user's identity , It depends on whether the user has authorized OAuth2 Clients do this .OIDC 1.0 Supplementary definitions OAuth2 The client authenticates the user .

Q：OAuth2 What is client authentication ？

A：confidential Type of OAuth2 Although the client is OAuth2 License server registration , They are based on some strategy （Client Authentication Method） To prove to the authorization server that it is a legitimate client . So they can call some OAuth2 Specified endpoint , such as /oauth2/token Token endpoint 、/oauth2/revoke Token revocation endpoint, etc . About OAuth2 For details of client authentication, please refer to OAuth2 Client authentication filter details .

Q：OAuth2 Why was the password mode abolished ？

A： To be exact, the current password mode is OAuth2.1 Has been removed from , Include OAuth0、okta And other well-known three-party authorized service organizations have removed the password mode .

When password mode was born , image React、Vue This single page application has not yet sprung up , Not even a framework yet . It is more like a transitional solution to solve the remaining problems . In traditional applications , Users are used to giving the password directly to the client in exchange for resource access , Instead of jumping around and pulling Authorization 、 Confirm Authorization .OAuth2 At the time of its birth, this model was designed to make users slowly change from traditional thinking . It breaks the pattern of delegation , To reduce the OAuth2 The security of .

For more details, please refer to my previous Related articles .

Q：OAuth2 How to describe the resource server in ？

A： As long as it includes the need OAuth2 The client carries access_token The server accessing the resource interface can be regarded as a resource server , Include OAuth2 client 、OAuth2 The authorization server can assume the functions of the resource server according to the business and architecture . From user （ Resource owner ） perspective , The servers that store resource interfaces that users can authorize can be resource servers . The resource server can access the token access_token decode 、 check , And determine whether this request is compliant .

Q： Can microservices not be used OAuth2？

Certainly. ,OAuth2 It is just one of the current solutions for microservice access control , Not the only option .

summary

These are some of the questions that fat brother has been asked recently , I believe I can help you .OAuth2 Things are not simple , After nearly three years of intermittent learning , Fat brother completely understands this thing , So don't worry, all learners , When learning is boring, let it dry for a while , The most important thing to learn this is to understand its concept and process , This is far more important than various frameworks ,OAuth2 It has nothing to do with language .

Official account ：Felordcn Get more information

Personal blog ：https://felord.cn