Web Security (x) what is OAuth 2.0?

One 、 summary

OAuth 2.0 It's the most popular authorization mechanism , Used to authorize third-party applications , Get user data .

Take the wechat scenario as an example . Wechat stores my friends' information , Third party applications need to get this information , You must be authenticated and authorized by wechat , Request to jump to wechat , Wechat users agree to authorize third-party applications , Get friend information .

In short ,OAuth It's a kind of authorization mechanism . The owner of the data tells the system , Agree to authorize third party applications to enter the system , Get the data . The system then generates a short-term entry token （token）, In place of a password , For third party applications .

Two 、 Tokens and passwords

token （token） With the code （password） It's the same thing , You can enter the system , But there are three differences .

（1） The token is short-term , The expiration will automatically lapse , Users can't modify it themselves . Passwords are usually valid for a long time , Users don't modify , It won't change .

（2） The token can be revoked by the data owner , It's going to fail immediately . Passwords are generally not allowed to be revoked by others .

（3） The token has a scope of authority （scope）. For Web Services , A read-only token is more secure than a read-write token . Passwords are generally full authority .

The above designs , The token ensures that the third-party application can obtain permission , At the same time, it can be controlled at any time , It won't endanger the system . This is it. OAuth 2.0 The advantages of .

Be careful , As long as you know the token , You can get into the system . The system generally does not reconfirm the identity , therefore Tokens must be kept confidential , The consequences of leaking a token are the same as leaking a password . That's why the validity period of the token , It's usually set very short .

3、 ... and 、OAuth 2.0 Four ways of

OAuth 2.0 There are four processes for obtaining tokens , According to the specific scene , Choose the right way , Issue tokens... To third-party applications .

Authorization code （authorization-code）： It means that the third-party application applies for an authorization code first , Then use the code to get the token

Hidden （implicit）： Issue a token directly to the front end . There are some WEB Applications are pure front end applications , No back end , The token must be stored on the front end .

Cryptogram （password）： Provide the password directly , Request token by password . If you highly trust an app , You can use this method .

Client credentials （client credentials）： For command line applications without a front end , That is, request the token at the command line .

Four 、 Update token

The validity of the token has reached , If you ask the user to go through the above process again , Apply for a new token , It's probably not a good experience , And there's no need .OAuth 2.0 Allow users to automatically update tokens .

The way to do it is ,B When the website issues the token , Two tokens at a time , One for getting data , Another is used to get a new token （refresh token Field ）. Before the token expires , The user to use refresh token Send a request , To update token .