OAuth 2.0 one click login

OAuth 2.0 Application scenarios

Programmer pairs Gitee and Github No stranger ,Github Probably the earliest time of origin 、 Open source repository with the largest user range ,Gitee As a rising star of domestic code warehouse , The user module is also compatible Github The function of , Such as , stay Gitee The login interface of can be accessed through Github Login by authorization . This is what I want to talk about today OAuth 2.0, You can go Gitee Experience it. UI Interaction process , With a more vivid understanding OAuth 2.0 Authorization process of .

OAuth2.0 Business role

effect ：

Make the client secure and controllable ” user “ to grant authorization , Interact with service providers .

OAuth 2.0 Operation process

Excerpt from RFC 6749.

There are five ways to authorize users ：

• Authorization code mode (authorization code)
• Simplified mode (implicit)
• Password mode (resource owner password credentials)
• Client mode （client credentials）

Authorization way - With authorization-code For example

The certification process ：

1. User access client , The client jumps to the authentication server authentication page
2. The user selects whether to authorize
3. If authorization is selected , Then the user can choose to login by authentication , Such as ： Verification Code 、 Account password, etc
4. The authentication server issues Authorization Code, Page from the authentication server Redirection URI To Client
5. Client take Authorization Code Go to the authentication server
6. If the certification is correct , Then issue Access Token/Refresh Token

Information supplement

Access Token: An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.

Refresh Token: An OAuth Refresh Token is a string that the OAuth client can use to get a new access token without the user’s interaction.

Scope: Scope is a mechanism in OAuth 2.0 to limit an application’s access to a user’s account. An application can request one or more scopes, this information is then presented to the user in the consent screen, and the access token issued to the application will be limited to the scopes granted.

A more visual process - From alicloud

SP： client

IDP： Authentication server

A In the step , The client applies for authentication URI, Contains the following parameters ：

• response_type： Indicates the type of Authorization , Will options , The value here is fixed to "code"
• client_id： Represents the ID, Will options
• redirect_uri： Indicates redirection URI, optional . After the authentication server completes the authentication , Redirect to the client's uri
• scope： Indicates the scope of authority of the application , optional
• state： Represents the current state of the client , You can specify any value , The authentication server will return this value intact .

Such as ：

http://example.com?code=xxx&state=test&response_type=code&client_id=xxxx&redirect_uri=xxxx.com

C In the step , The server responds to the client's URI, Contains the following parameters ：

• code： Indicates authorization code , Will options . The code should be valid for a short period of time , Usually set to 10 minute , The client can only use the code once , Otherwise, it will be rejected by the authorized server . Code and client ID Redirection URI, One to one correspondence .
• state： If the client request contains this parameter , As like as two peas, the authentication server must respond exactly the same .

D In the step , The client applies for the server token , The reference the ：

The return value is ：

The certification process is complete , Next, you can take the Access Token Get the resources of the server .

to update token

Access Token Generally, there is an expiration time , When accessing, if the client's access token has expired , You need to use ” Update token “ Apply for a new access token . Input use grantType、refreshToken、scope.