OAuth 2.0

Refer to the blog

Understand OAuth2.0

1. Birth background

OAuth2.0 is currently the most popular authorization mechanism used to authorize third-party applications and obtain certain permissions.

In our common applications, the permission authentication is by using passwords. When a user logs in, he or she can obtain certain permissions. However, a service may have third-party users to call, if each third-party user call we assign a user name and password to them, it will make our user and permission management become complicated. This is because access by third party users is mostly temporary, untrusted and limited.

OAuth’s solution to this problem is that when a third party user accesses the service, the administrator needs to assign a token to him. This token is valid for a short period of time and has limited permissions. In this way, whenever a third party accesses the service, it can use the token to access the service. The administrator can revoke the token if there is a problem.

2. Authorization method

Authorization is how an “administrator” issues a token to a third-party user. Given the complexity of the Internet, the standard used in OAuth defines four ways to obtain a token:

Authorization code

Basic process: the third party user applies for an authorization code and uses the authorization code to obtain a token

Concealment type

Some applications are pure Web applications with no back end, so they omit the request for authorization code and return token directly.

Cryptic phone

If the administrator highly trusts a third-party user, the administrator can return the password to apply for a token.

Proof type

Without the “administrator” authorization, users can directly apply for the token using their own information. In this way, multiple users may share the same token.

Detailed text and text articles please view, as well as request parameters, very intuitive.

OAuth’s four ways of authorization

3. Use of tokens

The use of tokens, as you probably know, is to add parameters to the HTTP request header

Autorization: bear​ token

Outside of the initial time, there is no need to reauthorize when the token needs to be updated, because when the token is first issued, two tokens are returned, one to store data and the other to renew the token’s expiration date.