Study on OAuth2 Learning and Dotnetopenauth part of source code

Study on OAuth2 Learning and Dotnetopenauth part of source code

In the previous article, I studied the application of OpenID and Dotnetopenauth, and this article continues to study OAuth2.

I. What is OAUTH2

OAuth is an open authentication protocol that allows a third-party app to access private resources (such as photos, videos, contact lists) that the user stores on a website without having to provide a user name and password to third-party apps. The number 2 means that the 2nd generation protocol is now used.

Two. Roles in the OAuth2

OAuth2 has four characters.

Resource owner: For example, Twitter users, his Twitter data is a resource, and he himself is the owner of those resources.

Resource Server resource server: The server where the resource is saved, the access token is presented to someone else to access the restricted resource.

Client clients: A party that is authorized to access restricted resources on the resource server on behalf of the resource owner. For example, developer-developed applications.

Authorization Server Licensing servers: Authenticate the resource owner, and after authentication passes, issue access tokens (an access token) to the client.

Three. Certification process

The user accesses the client's Web site and wants to manipulate the resources that it holds on the resource service provider.

The client directs the user to the authorization page of the authorized service provider to request authorization from the user, and in this process sends the client's callback connection to the authorized service provider.

The user enters the user name and password on the Web page of the authorized service provider, and then authorizes the client to access the requested resource.

After authorization is successful, the authorized service provider grants an authorization code to the client and the website jumps back to the client.

Once the client obtains the authorization code, the access token is requested again from the authorized service provider.

The Authorized service provider grants the client access token based on the authorization code.

The client uses the obtained access token to access the protected resources that are stored on the resource service provider.

Four. How to get access tokens

As you can see from above, tokens are the core of the entire authentication process. OAuth2 has four ways to get tokens

Authorization Code Authorization Code mode: This is recommended, but also the safest.

Implicit grant implicit authorization: Implicit authorization is less the process of taking authorization code in the first step than authorization code authorization, and does not return Refresh_token. It is mainly used for server-free applications, such as browser plugins.

Resource owner Password Credentials Resource owner Password Certificate authorization: This authentication is primarily used in situations where the resource owner has a high degree of trust in the client, such as an operating system or a high-privilege program. Use this method only if you cannot use another authorization method.

Clients credentials Client Certificate authorization: In this case, the customer uses its own client certificate (HTTP basic Verification code, such as client_id and Client_secret) to obtain access token, Can only be used for trusted client.

This article mainly explains the first method of obtaining.

Some people have this question, why not directly return the access token after the authorization succeeds, then obtain the authorization code, and then use the authorization code to change the access token. The answer to this question is in the official documentation, mainly because of the security of the data. When the user is authorized successfully, the browser returns the client from the authorization server. The data is passed through QueryString. If the access token is returned directly, it is visible directly in the address bar, and the associated log system is logged, which increases the risk of the token being cracked. Returns the authorization code, then the client uses the authorization code to exchange the access token through the direct communication, the whole process is not visible to the user, This greatly improves the security.

Five. Application of Dotnetopenauth in OAuth2

The official sample package contains a complete example of OAuth, which is written by the authorization server using MVC, which is written by the client and the resource server using WebForm, and the data layer uses EF. In order to more paste into the actual use, reduce extraneous noise, I imitate it rewrite a sample, This article will be explained around the self-written sample expansion. Sample samples can be downloaded after the text.

1. Client

Client-side programming mainly revolves around three classes

Authorizationserverdescription, as the name implies, is used to describe the service side. As shown below

Http://www.cnblogs.com/ljzforever/archive/2013/04/01/2985456.html

Study on OAuth2 Learning and Dotnetopenauth part of source code