Think of questions every day

Describes the four roles and four authorization modes available in OAuth2 protocol

Purpose:

There are 4 authorization methods in Oauth2:

• Authorization-code

1. Request an authorization code.

2. Return the authorization code.

3. Request token;

4. Return the access_token.

This approach is the most common process and the most secure, and is suitable for Web applications that have a back end. Authorization codes are transmitted through the front end, tokens are stored in the back end, and all communication with the resource server is done in the back end. This separation of the front and back ends prevents token leakage.

• Implicit

This is not a secure way to pass tokens directly to the front end. Therefore, it can only be used in some scenarios with low security requirements, and the validity period of the token must be very short, usually during the session, and the token will be invalid when the browser is closed.

• Password type

This method requires users to provide their own user names and passwords, which is obviously risky. Therefore, this method is only suitable for applications where other authorization methods cannot be adopted and users have high trust.

• Client credentials

The token presented in this way is for the third-party application, not for the user, i.e. multiple users may share the same token.

Four major roles in Oauth2

• Resource Owner

• Resource Server

• Third-party application clients, such as CSDN, belong to the Client of QQ application

• Authorization Server

Relationships between roles:

The Resource Owner registers Client information with the Authorization Server, accesses the Authorization Server through the Client to obtain token certificates, and obtains its own resources from the Resource Server through token certificates