Shulou(Shulou.com)06/02 Report--

This article will explain in detail what the other modes of OAuth2.0 in SpringBootSecurity are, and the content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Password mode

The authorization mode and refresh tokens are two ways to get the latest tokens. Let's take a look at the other modes. First of all, let's take a look at the password mode. The three modes we configure by default actually include the support for password mode:

So we start the project and use the password mode directly. The access address is:

Http://ip:port/oauth/token

There are five parameters, which are:

Grant_type: password mode value must be password

Username: user name

Password: password

Client_id: client id

Client_secret: client key

Examples of access are as follows:

Password mode is suitable for users with high trust. Only high-level information can pass the user name and password, so use it with caution.

Hidden mode

Some web applications are pure front-end applications that need to allow authorization services to issue tokens directly to the front end. This approach does not have authorization codes as an intermediate step, so it is called "implicit". Examples of access links are as follows:

Http://localhost:8028/oauth/authorize?client_id=clientId&response_type=token&redirect_uri=http://localhost:8028/&scope=all

You can see that this method has one more scope parameter than the authorization code mode. Before using hidden mode, the authorization service needs to support hidden mode, so you need to add implicit to the authorization type:

Then enter the above link into the browser, and the login page will appear. After the login is successful, the token will appear directly in the link:

Note that the location of the token is the URL anchor (fragment), not the query string (querystring), because OAuth 2.0 allows redirect URLs to be HTTP protocol, so there is a risk of "man-in-the-middle attack", while when the browser jumps, the anchor point is not sent to the server, reducing the risk of token leakage.

Voucher mode

The last method is client credentials, which is suitable for command-line applications without a front end, that is, requesting tokens under the command line. The request address is as follows:

Http://localhost:8028/oauth/token?grant_type=client_credentials&client_id=clientId&client_secret=secret

Before requesting, configure the credential mode in the authorization type:

Example of request result:

The token given in this way is for third-party applications, not for users, that is, it is possible for multiple users to share the same token.

This is the end of the other modes of OAuth2.0 in SpringBootSecurity. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.