(i) HTTP Basic Authentication object: Client and server process:
- The authorization domain in the client request header contains user name and password information for service-side authentication
Cons: 1. Each communication transmits user name password, insecure (ii) Traditional Session-cookie mode object: Browser and server, single application flow: 1. When the user logs on, the server stores the user information in session 2. The server sends SessionID to client 3. The client stores SessionID in a cookie 4. Each communication client needs to send a cookie 5. The server gets the cookie sent by the client to query the session and realizes the disadvantage of obtaining the user information:
Session is stored in the server, but in the distributed system, other services can not be obtained, can only be shared through the replication session, a large number of replication operations will occupy a large number of network resources (III) Distributed session mode objects: Client and multiple services process: 1. User login successfully stored information in session 2.session stored in Redis or MySQL 3. When a client accesses a microservices, the server extracts user information from the storage Center (iv) Token-based (JWT) objects: Available for mobile applications and servers, browsers and servers, Services processes: 1. When the user logs in, the server generates tokens and signs them and sends them to clients 2. The client stores tokens for each communication transmission token 3. The server gets token for signature verification, and then returns resources JWT: A token-writing specification that benefits from good authentication and authorization and high security Comparison with session: 1. Session is stored on the server, token is stored on the client 2. Token can be authorized to operate 3. Session can only be used in B/s mode (v) oauth2 mode  OATUH2 protocol is used for third-party licensing, and ultimately authorization through tokens objects: Third party services process: 1. The client requests the user for third-party service rights 2. Get user permission after client one-way authentication server request token 3. token 4 issued after authentication server confirmation. Clients use token to obtain resources for third-party services 5. Third party service confirmation token is correct after release resources (vi) Personal thinking
1. Why do we need to have unified authorization and authentication?
A: 1. In accordance with the traditional mode of each service will have its own set of user rights authentication system, extract it out easy to manage and maintain, and each service can focus on the things you want to do not have to spend effort in the rights Management 2. Not only is the user and the service need authorization authentication, the service and the service also need to check the permissions There is also a third-party customer access needs to do the authorization, so there is a unified Authority management Center can be better management and implementation
2. The drawbacks of traditional authentication methods
Answer: 1. First the HTTP header needs to be transmitted each time the user name and password is very insecure 2. In a single application, Sessioin can only be stored on its server, and when the other server is used, the session is lost, so you need to copy and paste the session 3. Distributed session storage, each authorization required to extract the session will lead to multiple network IO, the solution is the local service to the session cache, but it is necessary to do a session synchronization update, At the same time need to do a good job of the session shared space security issues 3. SSO and Oauth2 difference of single point of landing a: 1. Single Sign-on is used for a system to log on, the user in the system of other subsystems into the state of the landing without repeated landing 2.oauth2 for third-party landing, And often this landed access will be limited to a small range of 3.oauth2 after landing is also in the original third-party services activities, and SSO after the landing is in the entire system activities, such as Oauth2 login Tiger tooth Live after the user mainly in Tiger tooth activities, can brush gifts, can be issued bomb screen, But not to delete friends
Web Rights Management Summary
