A simple understanding of OAuth 2

What is OAuth 2.0

According to Oauth.net's description, we can summarize it as follows: OAuth 2.0 is an upgraded version of the OAuth 1.0 Framework Protocol, simplifying the process of identity and authorization on multiple platforms.

specific documentation can be found in RFC 6749 and RFC 6750 .

use of OAuth 2.0

The main uses of OAuth 2.0 are as follows:

1. Account access: Reduce the cost of user login, reduce the risk of certain accounts
2. Resource access: Protecting the validity, legality and security of resource processing by means of identity rights

general flow of OAuth 2.0

1. A client, such as a WEB Service, requests authorization to a user (that is, the resource owner) in some way, for some business needs
2. The user agrees to the authorization request and gives the client a certain "token" (e.g. Authorization code)
3. The client communicates with the authorization server with this "token", requesting access to the resource.
4. The authorization server validates the request, issuing a resource access token
5. The client attempts to access some resources to the resource server through this token
6. Resource server verifies the validity and permission scope of tokens, releasing resources

Get the OAuth 2.0 Authorization mode (Grant Type)

There are four main modes of obtaining the OAuth 2.0 authorization:

2. Authorization Code Authorization (Authorization Code Grant): Generally more application to the Web Server or other applications can be built-in invoke browser, generally through the browser's constant redirection to specifically implement the entire authentication authorization process. This approach is supported by the vast majority of authorized platforms
4. Implicit authorization (implicit Grant): Generally used for desktop applications, mobile phone applications, and more. The security is slightly lower than authorization code authorization, and the identity token is at risk of being intercepted by others.
6. Password Credential authorization (Resource Owner Password Credentials Grant)
8. Client credential Authorization (Credentials Grant)

Of course, in addition to these four main types, there is also a SAML Bearer that passed the IETF RFC 7522 standard this May
Types of OAuth 2.0 access tokens (token Type)

For now, there are two main types of tokens for OAuth 2.0:

1. Bearer type (Bearer Token): This is generally achieved
2. Message authentication type (msgauthentication Code Token )

Bearer tokens

Anonymous access tokens generally refer to what is not done, what tokens the client obtains, and what it does to the resource server.

When accessing resources, there are usually several forms:

• Place the token on the request header Authorization , and is named Bearer. That is authorization:bearer * * * * (note space).
  
• Put in access_token=**** form in Query String, accessed by GET
• Place the access_token=**** in the request body to application/x-www-form-urlencoded form (usually POST) access

Message-Authenticated tokens

Message-authenticated access tokens are usually encrypted with certain cryptographic algorithms. The encryption process is usually to Base64 the results of HmacSHA1 and HmacSHA256 encryption, then populate the request header Authorization according to certain rules and name it MAC. such as authorization:mac id= "H480djs93hd8", nonce= "274312:dj83hs9s", mac= "kdzvddkndxvhgrxzhvudjewhgee=", Specific rules vary depending on the platform

More Secure OAuth 2.0

Although its own OAuth 2.0 is also more secure, but inevitably for convenience, the relative sacrifice of some security, the OAuth 2.0 security protection can refer to RFC 6819.

This article references

• RFC 6749
• RFC 6750
  
• RFC 6819
  
• RFC 7522
  
• Oauth.net
  

translation

A simple understanding of OAuth 2