Shulou(Shulou.com)06/02 Report--

This article mainly explains "what are the four authorization ways of OAuth2.0". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the four authorization ways of OAuth2.0".

What is OAuth3.0? 2. OAuth3.0 authorization method

Among the four kinds of authorization of OAuth3.0, the authorization code is the most complex, but it is also the most common one with the highest safety factor. This approach is suitable for Web projects with both front and back ends, because some projects have only the back end or only the front end, and do not apply the authorization code mode.

In the following figure, we take logging in to the Nuggets with WX as an example to take a detailed look at the overall process of authorization code.

The user selects WX to log in to the Nuggets, and the Nuggets will initiate an authorization request to WX, and then WX asks the user if they agree to the authorization (the usual pop-up authorization). Response_type returns the authorization code for code. The scope parameter indicates that the authorization scope is read-only, and the redirect_uri redirection address is used.

Https://wx.com/oauth/authorize?

Response_type=code&

Client_id=CLIENT_ID&

Redirect_uri= http://juejin.im/callback&

Scope=read

After the user agrees to the authorization, WX redirects according to the redirect_uri and carries the authorization code.

Http://juejin.im/callback?code=AUTHORIZATION_CODE

When the Nuggets get the authorization code (code), they apply for a token from WX with parameters such as authorization code and key. Grant_type said that this authorization is based on the authorization code authorization_code, and the client key client_secret and the authorization code code obtained in the previous step are required to obtain the token.

Https://wx.com/oauth/token?

Client_id=CLIENT_ID&

Client_secret=CLIENT_SECRET&

Grant_type=authorization_code&

Code=AUTHORIZATION_CODE&

Redirect_uri= http://juejin.im/callback

Finally, WX receives the request and sends JSON data to the redirect_uri address, where access_token is the token.

{

"access_token": "ACCESS_TOKEN"

"token_type": "bearer"

"expires_in": 2592000

"refresh_token": "REFRESH_TOKEN"

"scope": "read"

.

}

2. Hidden type

It is mentioned above that there are some Web applications that do not have a back end, are pure front-end applications, and cannot use the authorization code mode above. Token application and storage need to be completed at the front end, skipping the step of authorization code.

The token,response_type of the frontend application is set to token, which requires you to return the token directly, skip the authorization code, and redirect to the specified redirect_uri after the WX authorization is passed.

Https://wx.com/oauth/authorize?

Response_type=token&

Client_id=CLIENT_ID&

Redirect_uri= http://juejin.im/callback&

Scope=read

3. Password type

The password mode is easy to understand. Users enter their WX username and password directly in Nuggets, and Nuggets take the information directly to WX to apply for tokens, and return token in the JSON result of the request response. Grant_type represents password authorization for password.

Https://wx.com/token?

Grant_type=password&

Username=USERNAME&

Password=PASSWORD&

Client_id=CLIENT_ID

The disadvantage of this authorization method is obvious and very dangerous, and if it is authorized in this way, the application must be highly trusted.

4. Certificate type

The credential type is very similar to the password type, which is mainly suitable for command-line applications that do not have a front end. You can get the token in the easiest way and return token in the JSON result of the request response.

Grant_type represents credential authorization for client_credentials, and client_id and client_secret are used to identify the identity.

Https://wx.com/token?

Grant_type=client_credentials&

Client_id=CLIENT_ID&

Client_secret=CLIENT_SECRET

Third, the use and update of tokens. 1. How to use tokens?

When you get the token, you can call WX API to request data, so how do you use the token?

Every request that arrives at WX must take token and put token in an Authorization field in the header of the http request.

If you use postman to simulate the request, put token in Authorization-> Bearer Token. Note: this option is not available in the lower version of postman.

2. What if the token expires?

Token is timed and needs to be reacquired once it expires, but going through the authorization process again is not only troublesome but also has a bad user experience, so how do you make the updated token a little more elegant?

Typically, when issuing tokens, two tokens are issued at a time, one token is used to request the API, and the other is responsible for updating the token refresh_token. Grant_type requests for refresh_token to update tokens, and the parameter refresh_token is the token used to update tokens.

Https://wx.com/oauth/token?

Grant_type=refresh_token&

Client_id=CLIENT_ID&

Client_secret=CLIENT_SECRET&

Refresh_token=REFRESH_TOKEN

Thank you for reading, the above is the content of "what are the four ways of authorization of OAuth2.0". After the study of this article, I believe you have a deeper understanding of what the four ways of authorization of OAuth2.0 are, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.