Experience OAuth2.0 's design concept from Baidu Cloud Platform

Baidu Cloud Platform adopts OAuth2.0 Open authorization standard, third party application can access the private data stored by users on the server without obtaining the user's account number and password. One of the more common is the Authorization Code authorization mode. In the actual development of the Baidu cloud Platform Application process, you can experience the OAuth2.0 design concept.

you first need to create an app. On the server side, the application is the principal that makes the API call, regardless of which process from which IP makes the API call, as long as it is issued in the name of the same application, the server is not treated differently. Specifically, an app's authentication information includes a set of client_id and Client_secret, which isequivalent to this app as a user's account and password.

         The server typically offers multiple sets of different functions Api Api, an app a must apply for this set of Api The call permission (the actual application is usually to explain the use of frequency and other information for the service side to audit). After the approval, apply a Get this set of Api the call permission. At this time to apply the a Api

         Further, when applied A need to access a user B when stored on the server side of private data, users also need B authorization. Specifically, apply a will guide the user B access to a server located in the url< Span style= "font-family: Song Body", this url url a Client_id parameter, the user B The page you see contains applications for authorization A B need to enter an account password to authorize (Login & Authorization) B a

         user B after authorization, the server generates a authorization Code code a a You can use code access token< from the server Span style= "font-family: The song Body", this is the end of authorization. After that, the app simply attaches this token api url parameter or HTTP header).

as you can see from the authorization process, this access token uniquely corresponds to an app and a user. the meaning of a token corresponding to an application is that the server can determine which application is emitted by the API call based on the token attached to the API call , and then determine if the application has a The call permissions for the API. The meaning of a token corresponding to a user is that the server can determine which user's data this API call is going to access. A token corresponding to an application plus one user's meaning is that the server can determine whether the API call has access to the user's private data. Therefore, after generating access token , simply attach token in the API call to confirm The three important information in the API call, the principal (application identity, API Call permissions), object (user identity, accessed data), relationship (access rights).

Experience OAuth2.0 's design concept from the Baidu Cloud platform