Welcome to pay attention to the public account “JAVA Front” to view more wonderful sharing articles, mainly including source code analysis, practical application, architecture thinking, workplace sharing, product thinking and so on, at the same time, welcome to add my personal wechat “JAVA_front” to communicate and learn together

1. Article Overview

Suppose Xiao Ming has developed A website CALLED A, which needs to support wechat login and Taobao account login. If you are a wechat or Taobao developer, how would you design this function? This paper takes Taobao account as an example in combination with the official documents of Taobao open platform.

From the simplest perspective, users enter taobao user name and password on website A, and website A invokes Taobao interface to verify input information. If verification passes, login succeeds. The overall process is shown as follows:

What’s wrong with this line of thinking? The most obvious problem is information security. The first aspect of the problem is that users need to input taobao user name and password into website A, which will bring the risk of user name and password disclosure. The second aspect of the problem is that if users do not trust website A, they will not enter taobao user name and password, which will affect the business of website A.

2 OAuth2.0

How should the third party login information security problem be solved? OAuth is a popular standard. If this line of this standard is implemented, then users can use taobao account to log in to A website without telling A website taobao user name and password.

OAuth2.0 has been developed, which focuses more on client developer simplicity than 1.0, and provides special authentication processes for desktop applications, Web applications, and mobile devices.

2.1 Four Roles

The OAuth2.0 standard defines four roles:

• Client
• Resource Owner
• Resource Server
• Authorization Server

Four role interaction processes:

The scene in this paper corresponds to four roles:

2.2 Four modes

The OAuth2.0 standard defines the following four authorization modes:

• Authorization Code
• Implicit patterns
• Password mode (password)
• Client credentials

The most common of the four authorization modes is the authorization code mode. For example, the wechat development platform document introduction currently supports the authorization code mode for the website application oF wechat OAuth2.0 authorization login. Therefore, this paper only introduces the authorization code mode, and the subsequent article will compare the four modes in detail.

2.3 Implementation Process

The first procedure is to create an application. The developer of A website first goes to taobao open platform to create an application, and the open platform will generate A client_ID as the unique identifier of A website.

The second process is the authorization process. When users click on A website to log in with taobao account, they actually jump to the SPLicing authorization URL page of A website, which is provided by Taobao. The user enters the user name and password of Taobao on the authorization page. After the verification is successful, the user redirects to the callback address of WEBSITE A. In this case, website A will get A code and the background will use the code to obtain the Access_token.

The third process is to obtain information. Obtaining access_token is equivalent to obtaining a key, and then invoking the external interface of Taobao in accordance with the specifications can obtain user data.

2.4 Why Security

The first aspect is that the developers of A website need to apply on the open platform of Taobao and input their personal information or company information, so that the reliability of A website can be guaranteed to A certain extent.

The second aspect is that in chapter 1, users need to enter taobao user name and password on website A, but in step 2.4 of OAuth2.0, although taobao user name and password also need to be entered, this page is provided by Taobao official, so its security is guaranteed.

The third aspect of access_token (token) is not transmitted in the browser, but requires website A to exchange it in the background program after obtaining the code, avoiding the risk of key disclosure.

The fourth aspect of code (authorization code) is risky to pass through the browser, but it has two features that ensure a certain degree of security:

(1) The code has a period of validity. If it is not used after the expiration date, it shall be obtained again according to the authorization process

(2) Code can only be used once. After using it, you need to obtain it again according to the authorization process

3 OpenID Connect

3.1 Authorization and Authentication

In the second chapter analyzes the OAuth2.0 agreement, the chapter analyzes the implementation process to create application and authorization process, access to information three process, we found a problem: the client after the access to the token, also need to invoke the resource server interface for user information, is there a deal can be returned to the token at the same time the user who is back? To answer this question, let’s compare a set of concepts: authorization versus authentication.

Authorization focuses on what permissions the communication entity has, and authentication focuses on who the communication entity is. OAuth2.0 has only the authorization process. After the token is returned, the authorization process is completed. OpenID Connect extends this so that the client can identify the user through authentication.

3.2 Three Roles

OpenID Connect defines three roles:

• End User
• Relying Party
• Identity Provider

Three role interaction processes:

This scenario corresponds to three roles:

3.3 Overall Process

4 Related Documents

Taobao open platform user authorization introduction

Website application wechat login development guide

Welcome to pay attention to the public account “JAVA Front” to view more wonderful sharing articles, mainly including source code analysis, practical application, architecture thinking, workplace sharing, product thinking and so on, at the same time, welcome to add my personal wechat “JAVA_front” to communicate and learn together