Shulou(Shulou.com)06/01 Report--

1. Introduction-related to OAuth3

   OAuth 2.0 protocol (RFC 6749) is widely used in Internet applications, and the most common is probably the third-party authorized login application. When users log in in many application websites, they can log in using the existing accounts of Alipay, Wechat and QQ, which share users' information and resources with Ali and Tencent.

The central idea of    OAuth 2.0 protocol is to let the party requesting user resources (known as client in RFC 6749) request access rights from the resource owners. The process of requesting access rights is not obtained by using the user's access rights in the resource owners, but by leading the users to the authorization server (Authorization Server) of the resource owners, which is authorized by the authorization server.

   in the whole OAuth 2 process, users need to participate in an authorization process to interact with Alipay, Wechat and QQ authorization servers if they want third parties (here third parties other than users and user registrants (Alipay, Wechat, QQ) to use their own resources (such as accounts, nicknames, avatars) on Alipay, Wechat, QQ and other information.

   figure 1 describes the authorization process of third-party websites in the form of Authorization Code Authorization (Authorization Code Grant) in RFC 6749.

   We take the example of a user logging in with a QQ account on the K website and use a typical development process to explain figure 1:

a. The user initiates a user resource request to the authorization service of QQ on the browser that has entered the page of K website: here Client Identifier represents the identity registered on the QQ authorization server (Authorization Server, in practical application, QQ may have multiple servers, here is abstracted as an authorization server), and Redirection URI indicates that the redirect URI,K website of K website uses the URI to receive the authorization code (Authorization Code) after the user authorization is successful. For specific request parameters and format, please see RFC 6749.

b. The browser jumps to the authorization page provided by the QQ authorization server, which generally provides two ways for users to authorize and authenticate: user name / password login and QR code scanning login.

c. After obtaining the authorization authentication of the user in step B, the QQ authorization server redirects to the redirection URI carried in step A, and carries the authorization code parameters in the redirection address.

The    D. K website uses the obtained authorization code to request the Access Token from the QQ authorization server, and the redirecting URI in the request should be consistent with the redirecting URI in step A.

After the    E. QQ authorization server validates the parameters correctly, it sends Access Token to the K website.

In the above steps of   , the redirection of step C to the redirection URI is completed by the browser, and the operation of step D is completed in the background of the K website. When the background of the K website receives the authorization code after step C, it also obtains the current session of the browser (according to the Cookie in the browser). After obtaining the Access Token in step E, the background of the K website obtains the corresponding user information (nickname, avatar, etc.) from the QQ authorization server, puts the user information into the current session, and then redirects to the main page of the K website, then the information of the QQ user is displayed on the main page.

2. Analysis of QQ code scanning login process

In the previous section of   , we described a typical OAuth3-based third-party login process for QQ users. The core part of the process is step B, that is, how to guide users to provide authorization authentication to the authorization server of QQ. Figure 2 shows the authentication login page provided by QQ.

The authorization server of    QQ provides two ways of authorization and authentication: one is account password login, the other is QR code scanning. It is better to understand the login method of account password, because the authorization and authentication operation of the user is carried out on the browser, and the browser can interact with the QQ authorization server directly. And the QR code scanning method, the situation is more complicated, because there is one more role to participate, this role is the user's mobile phone. In fact, the authorization and authentication operation of the user is completed on the mobile phone APP (Mobile QQ), but the browser that provides the QR code needs to know the scanning and authentication results of the user's mobile phone. The way for the browser to obtain the scanning and authorization authentication results is the QQ authorization server.

We need to imagine boldly before    reverse engineering. We imagine that the general process of QQ QR code login is as follows: the QQ authentication login page obtains the QR code generated by the QQ authorization server; the user's mobile phone APP scans the QR code and confirms the authorization on the mobile phone APP, and the authorization information is stored in the QQ authorization server. The QQ authentication login page obtains the authorization information on the QQ authorization server and sends a request to the authorization server to obtain the authorization code.

   in this process, the QQ authentication login page and the mobile phone APP are two separate clients. The two clients are connected by the QR code and share the scan results of the QR code. What means the QQ authentication login page will use to obtain the authorization authentication results on the mobile phone APP from the QQ authorization server requires us to explore through reverse engineering.

3. Reverse engineering analysis 3.1. Process analysis

   performs QQ user scanning login on a third-party website that provides QQ and Wechat user login, and collects HTTP messages in the process, which can sort out the message flow shown in figure 3 (the message 10-11 process in the figure is designed according to OAuth3 protocol and is not obtained by reverse engineering).

According to figure 3,    can be described as the following process:

1. The user enters the home page of the third-party website and is redirected to the QQ authentication login page through the login button on the home page. Corresponds to message 1 in figure 3.

   2. the QQ authentication login page generates a QR code for the request of the QQ authorization server, which has a unique identification. Corresponds to message 2 in figure 3.

3. The user scans the QR code using the mobile phone APP and approves the granted authority in the APP. The scanned user information and the approved authorization information are saved to the QQ authorization server.

   4. The QQ authentication login page constantly polls the QQ authorization server according to the QR code identification to see if there is any information about this authorization authentication. Corresponds to message 3 in figure 3.

   5.After obtaining the authorized information on the QQ authorization server, the QQ authentication login page obtains the login user information returned by the server. Corresponds to the message 4pr 5pr 6 in figure 3.

   6. The QQ authentication login page requests the OAuth3 authorization code from the QQ authorization server according to the information returned by the QQ authorization server, and the QQ authorization server is redirected to the redirect (callback) URI registered by the third-party application. Corresponds to message 7, 7, 8, and 9 in figure 3.

7. The background of the third party website obtains the Access Token from the QQ authorization server according to the authorization code, and obtains the user information according to the Access Token. Corresponds to the message 100.11 in figure 3. It should be noted that the message 10 and 11 processes are designed according to the OAuth3 protocol and are not obtained by reverse engineering.

8. The background of the third-party website returns the request for redirecting to the home page of the third-party website to the QQ authentication login page, and the QQ authentication login page is redirected to the home page of the third-party website, which already contains the QQ user information of the authentication login.

3.2. Message analysis

Through the analysis of the message flow in the previous section,    focuses on the messages related to QQ code-scanning login.

   a) QQ authentication login page request, corresponding to message 1 in figure 3. The request format is as follows:

GET / oauth3.0/show?which=Login&display=pc&client_id=xxx&redirect_uri=xxx&response_type=code&scope=get_user_info%2Cadd_share HTTP/1.1

   b) QR code request, corresponding to message 2 in figure 3.

The format of the    request is as follows:

GET / ptqrshow?appid=xxxxxx&e=2&l=M&s=3&d=72&v=4&t=0.27689339003885305&daid=383&pt_3rd_aid=101372833

   cookie will be set in the response to the request as the unique identity of the QR code, which will be used in the subsequent QR code status query. As follows:

Set-cookie: qrsig=Ht-tcKP8HsOucEnJLNd4RdqfbCwooJgQ3Z2Qjp5QApi0UoDGCIgPYu8VvQ6dAE8q;Path=/;Domain=ptlogin2.qq.com

   c) query the QR code scan authorization status, corresponding to the message 3p4 in the figure.

The format of the    request is as follows:

GET / ptqrlogin?u1=https%3A%2F%2Fgraph.qq.com%2Foauth3.0%2Flogin_jump&ptqrtoken=1441332869&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=1-0-1533114559274 examples jsfolk typeballs 10276 pieces of jsboxes typebooks 1 pieces of loginboxes signified EJ7zhLYsxLLTzyvFt57testingRfFnoefvlyL5EPQtIynibZvYDVTFwqp73mYhBZrw15 examples of uistylebars 40 examples aidcards 716027609 letters daidcards 383ptboxes aidstones 101372833

The cookie information in the    request is as follows:

Cookie: pt_login_sig=EJ7zhLYsxLLTzyvFt57te*RfFnoefvlyL5EPQtIynibZvYDVTFwqp73mYhBZrw15; pt_clientip=78f767d654ee2f3d; pt_serverip=612d0af17164d8cd; pt_local_token=55538618; uikey=a295803bda0158cc66a043eadd466549793036cdc18cf00adc324fe62c3dfdbb; pt_guid_sig=f1fb580c215810be91bdc81c31b0dbbf864e8530ff5bbe12a752ec79aa84096f; pgv_pvi=4603649024; pgv_si=s8250232832; _ qpsvr_localtk=0.6218837724703585; qrsig=Ht-tcKP8HsOucEnJLNd4RdqfbCwooJgQ3Z2Qjp5QApi0UoDGCIgPYu8VvQ6dAE8q

Pt_login_sig and qrsig in    cookie are used as query parameters to ensure that only one account is bound to the QR code generated at a time.

The result of the    request contains the status of the current QR code, as shown below:

PtuiCB (in the authentication of the QR code of '67century, 0th, 0th, 4th, 4th, 4th, 1st, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 6th, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 6th, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 6th, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 3rd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 2nd, 3rd, 2nd, 3rd, 2nd, 2nd, 2nd, 2nd, 2nd, 3rd, 2nd (1759531849)',')

   if the user has authorized authentication on the phone APP, the login authorization ID of the user this time will be returned in the response to the request, which will be placed in the set-cookie in the header, as shown below (the QQ number of the scanned user appears):

Set-cookie: pt_guid_sig=ad3f568b9d1d721593fde21261e9110921367f8e918ee573d0290ddde03fe5a9;Expires=Fri, 31 Aug 2018 09:06:36 GMT;Path=/;Domain=ptlogin2.qq.com;set-cookie: uin=o0545602528;Path=/;Domain=qq.com;set-cookie: skey=@Xb8aQtVvd;Path=/;Domain=qq.com;set-cookie: superuin=o0545602528;Path=/;Domain=ptlogin2.qq.com;set-cookie: pt2gguin=o0545602528;Expires=Tue, 19 Jan 2038 03:14:07 GMT;Path=/;Domain=qq.com;set-cookie: superkey=iXw-EiDFksitURyqw9dWBfOH7OIowHjqdYZPbu2U2iQ_;Path=/;Domain=ptlogin2.qq.com;HttpOnly;set-cookie: pt_recent_uins=a82cd26c99dc9b53af5f945be98ce71176658eb32199788d1c479b025d8b0f7a7872d4e9cf761581865bdcff1157eae7684374b9637a77f2 Expires=Fri, 31 Aug 2018 09:06:36 GMT;Path=/;Domain=ptlogin2.qq.com;HttpOnly;set-cookie: ETK=;Path=/;Domain=ptlogin2.qq.com;set-cookie: RK=jcDM6tiRa/;Expires=Tue, 19 Jan 2038 03:14:07 GMT;Path=/;Domain=qq.com;set-cookie: ptnick_545602528=e88b8fe5b79ee7a791e8bebe2de5bca0e587af;Path=/;Domain=ptlogin2.qq.com;set-cookie: ptcz=cc528e09239038601ee0ab4b7665c65404e847c2963a19d71a266c628029ee22;Expires=Tue, 19 Jan 2038 03:14:07 GMT;Path=/;Domain=qq.com;set-cookie: ptcz=;Expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/ Domain=ptlogin2.qq.com;set-cookie: airkey=;Expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/;Domain=qq.com;set-cookie: supertoken=3346071835;Path=/;Domain=ptlogin2.qq.com

   d) update the cookie on the page, corresponding to message 5 and 6 in figure 3. The returned request header contains a series of set-cookie related to the logged-in user, so it will not be posted here.

   e) obtain the authorization code from the QQ authorization server, corresponding to message 7 and 8 in figure 3.

The format of the    request is as follows:

POST / oauth3.0/authorize

The form data in the    request is as follows:

Response_type: codeclient_id: xxxxxxxxxredirect_uri: http://www.XXX.com/oauth/callback/type/qq.htmlscope: get_user_info,add_sharestate: switch: from_ptlogin: 1src: 1update_auth: 1openapi: 80901010g_tk: 1934165869auth_time: 1533114565802ui: EBF619C8-8BF2-4882-9D8D-8D7E6C0D05E1

   contains the following cookie information:

Cookie: ui=EBF619C8-8BF2-4882-9D8Dlue 8D7E6C0D05E1; pgv_pvi=4603649024; pgv_si=s8250232832; _ qpsvr_localtk=0.6218837724703585; pt2gguin=o0545602528; uin=o0545602528; skey=@Xb8aQtVvd; RK=jcDM6tiRa/; ptcz=cc528e09239038601ee0ab4b7665c65404e847c2963a19d71a266c628029ee22; pateluinyogo0545602528; pt4_token=kME-OHaPJ3rFmtsksNxnUcWYTP6JEWRvd2EX8DHyfAE_; p_skey=oA8SEkIxHh7-2v Mustang XneForJ9gUH4PTgROUPCQ6Ydp I _

The    QQ authorization server determines the scan confirmation result according to the identification in the form and cookie in the request, and returns the authorization code. The response message format is as follows:

HTTP/1.1 302 Moved TemporarilyServer: twsDate: Wed, 01 Aug 2018 09:06:37 GMTContent-Type: text/htmlContent-Length: 0Connection: keep-aliveKeep-Alive: timeout=50Content-Encoding: gzipLocation: http://www.XXX.com/oauth/callback/type/qq.html?code=653D0AAEA1EF7D12A4AF99AD4CDC4D414. Summary

   We analyze the function of using QQ scan login on third-party websites through reverse engineering combined with OAuth3 process, analyze the message flow and related messages, and make clear the general implementation ideas. Some parameters in the message (such as some key values in cookie) are unique to QQ, and the meaning cannot be inferred from the process, which needs to be explained by Tencent brothers.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.