Background Brief
This paper intends to build a general application backend service environment, and account verification is one of the basic environment of application.
OAUTH2 provides a secure authentication environment to Access_token as a token of access to secure resources, as a single application and backend interaction, the use of password type will be more concise, if you want to achieve similar to Google, For Facebook or Sina Weibo's third-party login platform mode, please select Authorisation code grant.
OAuth type reference Description: Https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Choosing-a-Grant
This article chooses the OAuth2 authorization Way is: password, needs to use with Refresh_token, after Access_token expires, uses the Refresh_token to apply for the new Access_token, does not need to log on again, achieves the application side to log in once , has been effective in effect.
If the refresh_token fails, it requires the user to log back in, which corresponds to the user has not used the application for a long time, need to let users re-login authorization of the scene. The general time can be set to one months, according to the actual needs of the setup.
Environment:
Laravel 5.1 Installation Please refer to the blog post:
Designed for Laravel Custom OAUTH2 implementations Oauth2-server-laravel:https://github.com/lucadegasperi/oauth2-server-laravel/wiki
Oauth2-server-laravel passwordgrant Installation and configuration please refer to the official website documentation, it is clear:
Installation configuration: Https://github.com/lucadegasperi/oauth2-server-laravel/wiki/Laravel-5-Installation
Use: https://github.com/lucadegasperi/oauth2-server-laravel/wiki/ Implementing-an-authorization-server-with-the-password-grant
This article focuses on:
The official website only describes how to configure and add the use code, but does not describe how to call, which may stop a lot of rookie.
PS: Here correct a "hand mistake" of the official website document:
' \app\passwordverifier@verify ' is changed to ' \app\passwordgrantverifier@verify ' and is consistent with the class definition that follows
Test data preparation
Before testing, you need to have a appid and Appsecret, like a third-party platform, to be able to identify access to an application
Here's how to do this: Add an app message to the Oauth_clients table, such as:
Simulating HTTP requests
Here to simulate the process of HTTP requests, direct mapping, we understand
Authorization to obtain Access_token, note the parameters of client_id and Client_secret need to be consistent with the oath_clients.
After the access_token expires, update with Refresh_token to return to the new Access_token and Refresh_token