当前位置:网站首页>Web Security (x) what is OAuth 2.0?
Web Security (x) what is OAuth 2.0?
2022-07-01 05:22:00 【jinyangjie0】
One 、 summary
OAuth 2.0 It's the most popular authorization mechanism , Used to authorize third-party applications , Get user data .
Take the wechat scenario as an example . Wechat stores my friends' information , Third party applications need to get this information , You must be authenticated and authorized by wechat , Request to jump to wechat , Wechat users agree to authorize third-party applications , Get friend information .
In short ,OAuth It's a kind of authorization mechanism . The owner of the data tells the system , Agree to authorize third party applications to enter the system , Get the data . The system then generates a short-term entry token (token), In place of a password , For third party applications .
Two 、 Tokens and passwords
token (token) With the code (password) It's the same thing , You can enter the system , But there are three differences .
(1) The token is short-term , The expiration will automatically lapse , Users can't modify it themselves . Passwords are usually valid for a long time , Users don't modify , It won't change .
(2) The token can be revoked by the data owner , It's going to fail immediately . Passwords are generally not allowed to be revoked by others .
(3) The token has a scope of authority (scope). For Web Services , A read-only token is more secure than a read-write token . Passwords are generally full authority .
The above designs , The token ensures that the third-party application can obtain permission , At the same time, it can be controlled at any time , It won't endanger the system . This is it. OAuth 2.0 The advantages of .
Be careful , As long as you know the token , You can get into the system . The system generally does not reconfirm the identity , therefore Tokens must be kept confidential , The consequences of leaking a token are the same as leaking a password . That's why the validity period of the token , It's usually set very short .
3、 ... and 、OAuth 2.0 Four ways of
OAuth 2.0 There are four processes for obtaining tokens , According to the specific scene , Choose the right way , Issue tokens... To third-party applications .
Authorization code (authorization-code): It means that the third-party application applies for an authorization code first , Then use the code to get the token
Hidden (implicit): Issue a token directly to the front end . There are some WEB Applications are pure front end applications , No back end , The token must be stored on the front end .
Cryptogram (password): Provide the password directly , Request token by password . If you highly trust an app , You can use this method .
Client credentials (client credentials): For command line applications without a front end , That is, request the token at the command line .
Four 、 Update token
The validity of the token has reached , If you ask the user to go through the above process again , Apply for a new token , It's probably not a good experience , And there's no need .OAuth 2.0 Allow users to automatically update tokens .
The way to do it is ,B When the website issues the token , Two tokens at a time , One for getting data , Another is used to get a new token (refresh token Field ). Before the token expires , The user to use refresh token Send a request , To update token .
边栏推荐
- Leetcode522- longest special sequence ii- hash table - String - double pointer
- Dynamic verification of new form items in El form; El form verifies that the dynamic form V-IF does not take effect;
- Rust hello-word
- [daily question in summer] first time, second time, deal!
- 云原生存储解决方案Rook-Ceph与Rainbond结合的实践
- [data recovery in North Asia] a data recovery case of raid crash caused by hard disk drop during data synchronization of hot spare disk of RAID5 disk array
- How to meet the requirements of source code confidentiality and source code security management
- Summary of spanner's paper
- Global and Chinese markets for business weather forecasting 2022-2028: Research Report on technology, participants, trends, market size and share
- CockroachDB: The Resilient Geo-Distributed SQL Database 论文阅读笔记
猜你喜欢
Mathematical knowledge: finding the number of divisors
How to traverse massive data in redis
复制宝贝提示材质不能为空,如何解决?
C# wpf 使用DockPanel实现截屏框
Tar command
[summer daily question] Luogu p5886 Hello, 2020!
Series of improving enterprise product delivery efficiency (1) -- one click installation and upgrade of enterprise applications
液压滑环的特点讲解
Data consistency between redis and database
Design and application of immutable classes
随机推荐
0xc000007b the application cannot start the solution normally (the pro test is valid)
Global and Chinese market of high-end home theater 2022-2028: Research Report on technology, participants, trends, market size and share
Application and principle of ThreadPoolExecutor thread pool
AcWing 888. Finding combinatorial number IV (the problem of finding combinatorial number with high precision)
Things generated by busybox
[daily question in summer] letter delivery by p1629 postman in Luogu (to be continued...)
What can the points mall Games bring to businesses? How to build a points mall?
More than one file was found with OS independent path ‘lib/armeabi-v7a/libyuv.so‘.
Character input stream and character output stream
1076 Forwards on Weibo
导电滑环短路的原因以及应对措施
[daily question in summer] Luogu p7222 [rc-04] informatics competition
Rainbond结合NeuVector实践容器安全管理
Global and Chinese market of 3D design and modeling software 2022-2028: Research Report on technology, participants, trends, market size and share
Redis数据库的部署及常用命令
Set集合詳細講解
LeetCode522-最长特殊序列II-哈希表-字符串-双指针
Use and principle of Park unpark
Txncoordsender of cockroachdb distributed transaction source code analysis
Single page application