SSO and oauth2 solutions

1. SSO And OAuth2

Single sign on System Single sign-on (SSO) ： Simply put, it is a system that does not need to log in to other systems repeatedly after logging in to one system design idea , One of the more famous implementations is CAS System .

OAuth2： It's a Open standards , This standard constrains a way for a user to allow a third application to access a user's resources in an application without providing a user name and password , In short, it's a 3 It is a relatively standardized process method for applying authentication and accessing user resources .

SSO And OAuth2 There's no comparison ,SSO It's a design idea ,OAuth2 It is a protocol for authentication and authorization of specific resources .

We can design a mechanism , To realize the single sign on system , use OAuth2 Protocol to do user authentication .

2. The fusion

The design idea of single sign on is as follows ：

To put it simply, you can log in and access all connected systems with one account , Users do not need to authenticate again to access other applications after they are authenticated to enter the single sign on system .

OAuth2 Authorization code of Authorization code mode , It provides a more secure way to access user resources , This method needs to jump from the logged in system to the logged in system through connection , Then through authentication and authorization , Another application system passes Token Get user information , If yes OAuth Unfamiliar can refer to 《 understand OAuth 2.0 Ruan Yifeng 》

RFC6749 

1.2.  Protocol Flow

     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

4.1 Authorization Code Grant

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

Usually we put Certification services And Resource service Put it all together , If we plot the above process with a sequence diagram , The effect is as follows ：

adopt OAuth2 Generally speaking, the protocol is that the virtual user accesses the login page of the target application system first , Jump to the authentication server through the link on the login page to perform authentication and authorization operations , The application system only needs to provide one when docking with the system Standard callback interface Can be realized OAuth Docking .

But there is a problem with this approach ： Users need to execute every application they access OAuth2 A whole process , To access multiple systems, you need to OAuth2 The authentication service has been authenticated for many times .

To achieve single sign on Log in to access all at once Design idea , We need to be right about OAuth2 Some processes have been adjusted , Requirements are as follows ：

1. Users no longer need to log in to the single sign on service , No need to enter other applications alone .
2. After logging in, the user accesses the application through the connection of the single sign on service page , No re authentication is required during login .
3. The application system only needs to connect to the single sign on system according to the standard OAuth2 Protocol docking .

Adjusted and integrated OAuth2 The single sign on sequence of is as follows ：

1. The user login SSO System, not application system .
2. After authentication, enter the system list to display the docked applications
3. After the user clicks apply ,SSO The callback address provided by the system according to the application registration , according to OAuth2 The protocol returns a redirect request with an authorization code .
4. The browser redirects to the... Of the application system OAuth2 Standard interface , The rest of the process is similar to OAuth2 The agreement is consistent .

The scheme only needs to be well designed SSO System certification 、 User session management 、 When applying jump 301 Redirection process , Other and OAuth2 bring into correspondence with .

In the past OAuth2 Docking applications , In such a process, any adjustment is disordered , The newly docked application system is in accordance with OAuth2 Provided by agreement Standard callback interface Can be realized OAuth Docking , By high compatibility .

reference

[1]. understand OAuth 2.0 . Ruan Yifeng . 2014.05 . https://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html
[2]. ietf . RFC6749 The OAuth 2.0 Authorization Framework . 2012.10 . https://datatracker.ietf.org/doc/html/rfc6749#section-4.1