From password to token, a licensed story

from password to token, a licensed story

Article reprinted from the public number "yard Farm roll Over"

Author: Liu Xin

1. I dedicate my password to you.

Xiao Liang developed a "credit card Butler" program, you can automatically read from the mailbox credit card-related messages, analysis, summary, form a report.

Trabecula Find credit card talent Big Fat trial: "Your credit card so much, see my program, categorization malleability you will love it." ”

Zhang tried a few said: "Gee, you this program to read my NetEase mailbox Ah, that requires a username/password it"

"Yes, you have the password to tell the input program is not OK, my program for you to encrypt and save, to ensure that will not be disclosed." ”

"Come on you, I will not tell you my password, in order to facilitate the memory, my password is universal, in case the leak is finished."

Trabecula said: "So, I do not save, I will access the mailbox when used once, run out on the throw." ”

"You think you are Alibaba ah, there is a credit endorsement, you are just a small website, I give you the password, always feel insecure." Is that I trust you, others can trust you. ”

Trabecula think about it too, this is a huge psychological barrier, everyone has to defend their own password ah.

2. Token

After a week, Trabecula excitedly took Zhang to see the "Credit card Butler" upgrade version.

"Upgrade to 2.0 Ah, this time do not ask you to NetEase mailbox user name and password."

"Then how do you access my mailbox." ”

"Very simple, I provide a new entrance, using NetEase account login, you point after, in fact, will redirect to NetEase certification system to log in, NetEase certification system will let you enter the user name and password, and asked if you allow the credit card butler to access the NetEase mailbox, you confirm the later, again redirect to my ' The credit card steward ' website, while incidentally a ' token ' come over, I can use this token to access the NetEase mailbox through the API. In this process, I do not have access to your user name and password, how, this is satisfied with it. ”

"You say easily, you this credit card housekeeper is a small website, still have no fame, how will NetEase believe you this website?" ”

"Of course I have to register at NetEase first Ah, they will send me a app_id and App_secret, I redirect to NetEase when the need to send this thing past, so NetEase know is ' credit card housekeeper ' This application in application authorization. ”

(Click to see larger image)

Zhang said: "You redirect to redirect, in fact, is not to get a token." ”

"Yes, because you do not trust my credit card housekeeper, do not let it save your password, have to use token method, it is issued by the NetEase Certification Center, in fact, represents your credit card butler access to the mailbox authorization, so with this token can access your mailbox."

"Yes," the big fat Question, "Why do you use JavaScript to read tokens?"

"So my back-end server will not be involved, the work is done at the front end, you notice that URL in the # number. Www.a.com/callback#token=< NetEase returns to Token> "

Zhang said: "I know ah, this thing is called hash fragment, will only stay on the browser side, only JavaScript can access it, and it will not be sent through the HTTP request to another server, I think this is to improve security." ”

Trabecula said: "Yes, that token is very, very important, to be properly preserved and not disclosed." ”

"But in the 6th step through redirection, this token in plaintext sent to my browser, although it is HTTPS, will not be stolen by others, but the browser's history or access to the log can be found, not exposed. ”

Trabecula said: "This ..., I say you this guy, safety awareness is very strong, let me think, there is no safer way." "

3. Authorization Code + Token

A week later, Xiao Liang successfully upgraded the credit card steward to 3.0.

He said to Zhang: "This time I succeeded in hiding that very important token of authorization, do you want to see it." ”

"First you tell me how you hid it." ”

"In fact, the whole idea is similar to the previous one, but I have introduced a middle layer called authorization Code." When you use NetEase account login, NetEase Certification Center This time do not give me direct token, but send an authorization code (authorization code), my credit card Butler server to take this code, in the background to visit the NetEase Certification Center again, This time he sent me the real token. or directly on the chart: "

(Click to see larger image)

Zhang said: "It is also easier to understand, in essence, you take this return authorization code in the server backstage ' secretly ' to complete the process of applying token, so token browser is not in touch, right. ”

"What do you mean by secretly applying for tokens?" This is the normal communication between my credit card Butler server and NetEase, but you can't see it. ”

"Open a joke, although you hide token, but this authorization code is exposed, ah, you see the 7th step, I can see in the browser, if by whom to take, not also can take the token?" ”

Trabecula said: "We must have defensive measures, such as this authorization code and my credit card butler application of the App_id,app_secret Association, only the credit card butler issued a token request, the NetEase Certification Center is considered legal, but also allows the authorization code to have a time limit, such as 5 minutes of failure, There is also a license code can be changed only once token, the second time is not. ”

"It sounds good, OK, this time I can use it with confidence." ”

4. PostScript

In fact, this article is about the three types of authentication methods in OAuth, in turn:

1. Resource owner Password Credentials Grant (Resource owner password credential license)

2. Implicit Grant (implicit license)

3. Authorization code Grant (Authorization code license)

There is also a kind of called client credentials, with less, the article does not involve.

These names are odd, but they are not so complicated. In OAuth, there are several terms that you can understand:

Resource owner: That's our Zhang.

Resource server: That is, NetEase mailbox

Client: The credit card manager above

License Server : That is, the above NetEase certification Center