The 2.0 introduction
OAuth2.0 is an authorization protocol, which ensures that the third party can further access the authorized data only after authorization. The core of authorization is to issue access token and use access token In OAuth2.0 system has four characters: resource owners, and third-party software, the authorization service, protected resources, such as user xiao Ming through a third party software rabbit to check your order on jingdong, in this process, the resource owner is xiao Ming, third-party software is a little rabbit, the authorization service is the authorized service jingdong open platform, is the protected resources There are usually four types of authorization for Xiaoming’s orders on JD:
License code license
The most common and most secure is the authorization code permission,grant_type=authorization_code
1. The fifth redirect assigns code to the browser. If the token is returned directly, it exposes the token to the browser and risks token theft
2. The user guides to the authorized service of JINGdong through the Rabbit software. At this time, the connection between the user and the rabbit software is broken, and xiao Ming is connected to the rabbit software again through redirection
The work process of authorizing a service
2. Direct the user to the authorization service
3. Verify basic information, such as app_id,app_secret, and whether the callback address is valid. The first time to verify the scope of authority: rabbit application scope, to see whether overstepping the authority; Generate authorization page; 4. Verify the permission scope (Rscope) for the second time to see if the permission is exceeded
5. After the authentication succeeds, an authorization code is generated and mapped to the app_id and user
Make a mapping with the permission scope
Set the validity period of the authorization code to 5 minutes
6. Redirect to the third-party software, which carries the code request
7. Verify third-party software; Verification code; Delete code immediately after verification to prevent stolen code access; Generate access_token
8. Refresh_token is generated when the Access_Token is generated
9. The lifetime of refresh_token is longer than that of access_token. When the access_token is invalid, it is recommended to renew it instead of extending the time, and then discard the refresh token and issue a new one (expiration time) Will not change)
JWt
The token is encapsulated in a structured manner so that the token can contain more meanings, such as user information and permission information
The structured body is divided into HEADER,PAYLOAD, and SIGNATURE. separated
The authorization service issues a token and the protected resource service validates the token by querying the database or invoking the interface provided by the authorization service, but with JWT, the protected resource service can directly parse the information in the token
JWT requires BASE64 encoding to prevent garbled characters and encryption during transmission, usually through JJWT open source tools
Why JWt?
1. Use computation instead of storage
2. Emphasize encryption
3. Enhance the availability and scalability of the system, stateless service
The disadvantage is that there is no way to change the state of the issued token. One issue is one secret key per user, requiring a separate secret key management system, and another uses the user password as the secret key
Tokens are opaque to third-party software, and it is the licensed services and protected resource services that need to be concerned about tokens
How to build third-party software?
How to build a protected resource system?
Resource owner credentials license
For example, Rabbit is an official software of JINGdong, which means there is no concept of a third party. The token can be exchanged directly according to the user name and password. Grant_type =password.
Client credentials license
When there is no clear resource owner, for example, rabbits access commodity photos on jingdong, they can directly obtain the tickets according to app_id and app_secret,grant_type=client_credentials
Implicit permission
For example, if the rabbit is embedded in the browser, there is no privacy for the browser
