OAuth, JWT, oidc, you mess me up

hi, This is sang Xiaoyu , This is not a life article to share , It's technical .

be based on OAuth2.0 Authorization and authentication of the agreement , When I first came into contact with authorization and certification knowledge , There are many popular terms ,“OAuth”,“JWT”,“OIDC”, This is simply a big head , I'm dizzy and even don't know what I've learned , Seeing relevant articles on the Internet is also confused , Or some knowledge , Or it's a strange word that pops up inexplicably .

▲ chart /  source 《 Kung fu 》

So this time , Based on the idea of simplicity , Discuss with you , If there's something you don't understand , That is, I didn't understand or make it clear . This article does not contain source code , First, take the theoretical understanding as the bedding , The latter part will help understand in the way of source code practice .

First, we review the traditional authorization methods , Basically through the account , Password for authorization authentication , Granting third parties is also authorized by sharing passwords . With the popularization of informatization , The system is getting bigger and bigger , Everyone has access to the Internet , This is easy to bring security risks .

First of all , Users authorize third parties to share passwords , The password here is also clear , It's obviously not safe .

second , In fact, the permissions we give to third parties are only a small part , If shared through password , Then the third party can obtain all permissions through your password , It's not safe .

Third , After we authorize third-party applications , We cannot withdraw our authority . Only by changing the password , Then any third party authorized by us will be affected , It is very troublesome and needs to be re authorized .

Based on the defects of the above traditional authorization methods , So I introduced OAuth agreement . agreement , As the name suggests, everyone （ Internet organizations ） A standard rule reached jointly . This kind of agreement , For example, we are familiar with IP agreement ,TCP The agreement is a standard agreement jointly formulated , Preventing countries or enterprises from having their own agreements is easy to cause the proliferation of agreements , Limited use and complicated docking .

OAuth agreement , It also belongs to the protocol of network layer , Exist to protect resource security . Since it's an agreement , That must require a transmission medium , Make people know each other from door to door , And you need to carry identity information , That's it JWT（Json Web Token）, That's what we often say Token token , About JWT The content will be discussed in the next article .

that ,OAuth What is included in the agreement ？

The first is the four main actors .

Resource Owner： Resource owner , Someone with the ability to delegate resources , That is, users .

Resource Server: Resource server , The server that stores user information and can verify whether the token is legal （ For example, wechat server , Save your wechat avatar , Nickname, etc ).

Client： client , Third-party applications , It can access the user's information after obtaining the user's authorization . For example, bleep bleep .

Authorization Server： Authorization server , It will authenticate the user's identity , Provide authorization approval process for users , And finally issue the authorization token (Access Token). Send a token to a third-party server （ It can be the same as the resource server )

adopt OAuth Several participants in the agreement , We can sum up OAuth The role of , Is to let the user's permissions , Secure and controllable licensing of third-party applications , After the third-party application obtains the permission granted by the user , Interact with the resource server .

secondly ,OAuth Four authorization modes are supported .

Because the client must be authorized by the user （authorization grant）, To get a token （access token）. therefore OAuth There are four ways to obtain tokens .

Authorization code mode （authorization code）

Authorization code mode is a relatively standard mode , WeChat 、GitHub、 BiliBili and other well-known applications use this mode , Because the way of authorization code can effectively hide the token without being revealed , safer .

How to operate the specific authorization code , We can give a practical example ：

▲ chart /  source B Station login interface

such as , We want to log in to BiliBili website , BiliBili provides a third-party login method , WeChat , Weibo or QQ Sign in .

1. When we choose wechat login , BiliBili will provide a jump link , When we click, we will jump to wechat authorization server .

// Interface services 
https://open.weixin.qq.com/connect/qrconnect
?appid=wxafc256bf83583323
&redirect_uri=https%3A%2F%2Fpassport.bilibili.com%2Flogin%2Fsnsback%3Fsns%3Dwechat%26state%3D8b90df300a6711edbeb2d280ef8fddbc%26source%3Dnew_main_mini
&response_type=code&scope=snsapi_login
&state=authorize#wechat_redirect

 Parameter interpretation ：
appid： It is an open authorization mark on wechat , amount to client_id.
refirect_uri： Bounce address , Wechat generates authorization code code Then it will be sent back to BiliBili on this link .
response_type： Type of Authorization , Here is the authorization code type .
scope： Scope of Authorization , Here is the authorization for BiliBili api.
state： Calibration parameters , Verify whether the user information has been tampered .

2. After we scan the code , Wechat server will ask whether we authorize BiliBili （ Will get your nickname 、 Head portrait ）.

3. When we click allow , The wechat authorization server will return an authorization code to the proxy user for the current user , Proxy user refers to browser , Because the browser helps us to ask for authorization .

4. After confirmation of authorization , Proxy user （ browser ） The authorization code will be sent back to BiliBili through the redirection address .

5. BiliBili takes this authorization code and other important authentication information to request a token from the wechat authorization server .

6. The wechat authorization server receives and recognizes this authorization code and sends a token to BiliBili .

7. BiliBili takes this token and goes to get wechat resource server to read user data .

▲ chart /  Diagram of authorization code mode

Implicit mode （ It is not recommended to use ）, Suitable for third parties without backstage .

The way he uses it , We also use the example of BiliBili login .

// Interface services 
https://open.weixin.qq.com/connect/qrconnect
?appid=wxafc256bf83583323
&redirect_uri=https://www.blibli.com/callback
&response_type=token&scope=snsapi_login
&state=authorize#wechat_redirect

1. When logging in BiliBili , A wechat login link will be provided , After clicking, we will jump to wechat authorization server .

2. After entering , Wechat server will ask whether we authorize BiliBili , And confirm that it is authorized to BiliBili .

3. here , The wechat authorization server directly sent the token to BiliBili , BiliBili gets the user's information according to the token .

We found that , This mode is a process of interacting with wechat authorization services without BiliBili background authentication , Just got the token and returned to the front desk of BiliBili . In this way, we can easily store and forge authorization through links , It's not safe .

Password mode , It is suitable for transforming the traditional account password system into OAuth to grant authorization , As well as users who trust third parties .

// Interface services 
https://open.weixin.qq.com/connect/qrconnect
?appid=wxafc256bf83583323
&grant_type=password
&username=sunny_100kmiles&rpassword=imluckyboy
&scope=snsapi_login
&state=authorize //wechat_redirect

1. In this mode, login beep beep , BiliBili will use our account password to directly ask for a token from the wechat authorization server .

2. After receiving the account password, the wechat authorization server will send a token to BiliBili .

3. BiliBili gets our information according to the token , But if you change the password, you also need to refresh the token .

Client mode , Suitable for third parties without front end , There is no user participation . It is only the interaction between the authorization server and the resource server .

// Interface services 
https://open.weixin.qq.com/connect/qrconnect
?appid=wxafc256bf83583323
&grant_type=client_credentials
&client_secret=xxxxxxxx

Integrate the above four authorization modes , Some sharp friends will find , The first one is more complex on the whole , Why use authorization code code Go to wechat authorization server to get token（ token ） Well ？ Directly in step 4 , take token Directly return to the client BiliBili , Isn't it more convenient ？ It also reduces the interaction between the client and the authorization server , Better performance ？

The design of this authorization code is not difficult to understand , If you will token（ token ） adopt redirect_uri The callback method returns to the client BiliBili , That is, after the proxy user （ browser ） This floor , At this time, it is easy to save to the browser in the process of browser transmission cacher and log On record , It is also easy to spread to other malicious sites or be intercepted , This gives attackers more opportunities to steal tokens .

And browser redirect_uri Itself is an insecure information channel , Usually we don't put the important , Sensitive data is transmitted in this way .

therefore , Import authorization code to authorize ,OAuth The protocol generates a code To BiliBili client , Bli bli backstage will be based on this code And other important information （ For example, wechat appid,appsecrect etc. ） Get a token from wechat authorization service . At this time, we will find that even the authorization code code Being intercepted by the attacker will not play any role , Greatly improved security .

that , This pattern design is impeccable ？ Obviously, after getting the token , In the process of requesting interaction from the resource server , Will still be intercepted token, Even tampered with .

stay OAuth1.0 Agreement , By repeatedly checking the authorization code code and token To sign , To guarantee token Can't be tampered with , however OAuth2.0 But not this , because OAuth2.0 Is based on https Of , We know https The message transmitted by the protocol is encrypted , Not easily tampered with . obviously OAuth2.0 On this basis , Better performance than OAuth1.0 Of .

Another problem is . After user authorization , Authorization code code Will pass redirect_uri Send back to BiliBili client , If not for this string redirect_uri check , Or the verification rule level is not high . for example , The callback address provided by BiliBili is www.blibli.com, But it was intercepted and altered into www.clicli.com\www.blibli.com, Then such authorization is www.clicli Was robbed . This is cross site request forgery .

Because of this authorization server , There are several interactions between blibli client and user , You need a bounce back when you get the authorization code , But this bounce can be blocked .

Then there will be such cases , For example, I am a hacker , I use my own account to log in BiliBili for third-party wechat login , When I authorize , Wechat authorization service will return with authorization code code Jump back link to BiliBili client , I blocked the return process , BiliBili client cannot receive authorization code .

here , I send this jump link to the user who is currently logged in （ Xiao Zhang ）.

Induce Xiao Zhang to click normally , Then the authorization code link returned by my account was clicked by Xiao Zhang and then obtained the token from the wechat server , At this time, my third-party account and Xiao Zhang's account have been bound , At this time, I am equivalent to logging in with Xiao Zhang's account, BiliBili , Delete resources , Delete friends , Take off and a series of malicious operations .

Art comes from life , This is not false at all . I have seen such a case on the Internet .

A Ladies go to ATM Withdraw money , After inserting the password into the card , Waiting in line behind B Sir threw some real money to A The lady's feet induce her to pick up real money ,B Sir, switch immediately A The woman's card inserts her card ATM machine , after A The lady found that she needed to log in again , After entering the password several times, you still enter the wrong password , In a hurry B Sir suggests A The lady went to the front desk next to her for consultation , So I went . stay A After the woman enters the password several times in succession , Has long been B Sir, remember , send sb. away with an excuse A Use after ladies A Operate with a woman's bank card . This one draws attention , Is the induction operation similar to the case just now .

So in the program , be based on OAuth2.0 How to solve it in ？

Go back to the link given in the authorization code mode above , You will find one more parameter state Parameters , By carrying state Parameters , Bili Bili can pass state Verify whether the information of the account has been tampered . At this time state It is equivalent to the current account sessionid, or cookie Signature string of .

Okay , So we discussed OAuth Design principle and function of . And throw out JWT（ token ） The role and concept of , The next chapter will explain in detail JWT How to shuttle between ends with generals .

Reference material ：

https://www.rfc-editor.org/rfc/rfc6749.html

https://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

  More interesting content , Please pay more attention to ！