Write in front:
In the previous blog, "Introduction to OAuth2.0 principles" We have already learned about OAuth2.0 's principles and how it works, so we'll talk a bit about how OAuth is licensed in the Future: Authorization Code (Authorization code)
What is authorization Code?
In a nutshell, the authorization code is the pre-checksum of a third-party application requesting Authrization server to obtain Accesstoken, which increases the security of token acquisition. For example, you Chi Chi wrote a day's code, eager to go home to eat a daughter-in-law hot rice. When you go to the door of the community, you need to swipe to enter the community, and then find your home in which building, a few units of the number, and then took out the key to open the door, to return home. In this process, the authorization code is the same as you in the door with the key to the first step to confirm the identity, if you are not the community, then you naturally have no way to enter the community inside. Authorization Code mode is the most commonly used in OAuth2.0, such as: QQ, watercress, Sina Weibo and so on are used this way.
Workflow Resolution for authorization codes
Process represents the entire process of the request, the points to note are:
The parameters required to initiate the authorization request are as follows:
For step (C), the following parameters are required when the client initiates a request to authorization server:
- Response_type: Must be selected. The value is fixed to "code".
- CLIENT_ID: Required parameter (the ID of the third-party app that tells the server who needs to be authorized)
- State:client provides a string that the server returns to the client as-is.
- Redirect_uri: Required parameter (redirect address after authorization succeeded)
- Scope: Optional parameter (indicates authorization range)
The full URL looks like this:
Get/authorize?response_type=code&client_id=1&state=xyz&redirect_uri=https%3a%2f%2fclient%2eexample %2ecom%2foauth2&scope=user,photo http/1.1host:server.example.com
The authorized return data are as follows:
In the corresponding step (E), a authorization server returns the following information:
- Code: Authorization code (used to request token usage in the next step)
- State: The state parameter provided by the client in step (C) is returned as is.
The complete URL is as follows:
Location:https://client.example.com/oauth2?code=splxlobezqqybys6wxsbia&state=xyz
The request parameters for initiating token acquisition are as follows:
Corresponding steps (G):
- Grant_type: Required parameter (fixed value "Authorization_code")
- Code: Required parameter (code in response to response in the previous step to avoid tampering during the request)
- Redirect_uri: Required parameter (must be the same as the Redirect_uri provided in request)
- CLIENT_ID: Required parameters (must be the same as the client_id provided in the previous request, cannot be inconsistent with token and authorization code requests for third-party apps)
The response that gets token contains the following information:
Corresponding steps (H):
- Access_token: Access token (server-side encrypted string).
- Refresh_token: Refresh token (The string that refreshes the token)
- Expires_in: Expiration time (token expiration time)
{ "Access_token": "Mjhjskotnfzfejr1zcsichjksla", "Token_type": "Granttype", "expires_in": 4800, " Refresh_token ":" Jhjhjasdsjhknsgkmzhdk ", " Example_parameter ":" Example_value_test "}
If one day your community key is a stranger to get, then he can be justified into the community inside, then he entered into your home opportunity is much larger. The same reason, if the authorization code is stolen, then the other party can directly use your authorization code to obtain tokens to steal your information, in the use of the first time we need to ask the authorization code can not be reused, If it is found that the authorization code is reused during the lifetime of the token, all tokens generated by this authorization code are destroyed and the authorization verification of the login is done again.
Written at the end:
The authorization code is one of the most common licensing methods we use, which allows our application to have an additional layer of security before acquiring tokens to ensure that our authorization and access procedures are secure and reliable.
Reference: https://oauth.net/2/grant-types/authorization-code/
OAuth2.0 License Authorization Code