Compared with Oauth1.0, Oauth2.0 simplifies the process, and improves security through HTTPS and restricted callback addresses. However, the implementation of Oauth2.0 by Internet companies does not fully comply with Oauth2.0 standards. So there will be some problems. For example, a non-strict callback address limit may cause problems.
The detailed steps are as follows: 1. In combination with the revoke grant mode, you only need client_id and redirect_uri to complete the account authorization process, in this way, the obtained access_token is returned to the redirect_uri page 4. Construct the following URL: http://openapi.baidu.com/oauth/2.0/authorize? Scope = super_msg & response_type = token & client_id = RCKbWANx8KewnXs9rwGWFtZV & redirect_uri = http://lvtu.qunar.com/mobile_ugc/web/album.htm? AlbumId = 4228 client_id: qunar Baidu app IDredirect_uri is the callback address after obtaining access_token response_type = token is the permission applied for in the Implicit grant authorization mode. 5. You can send this address to others. entice others to connect, the most convenient use is to combine click hijacking to allow users to complete the authorization process. In this way, the user's access_token6 is hijacked, and the obtained token can be operated on by the api interface (Baidu's api is poor ).
The following figure shows the hijacking. Solution:
1. It is best to strictly restrict redirect_uri. I know it is very difficult. 2. You can add clickjacking code on the Authorization page to reduce risks.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
