Shulou(Shulou.com)06/01 Report--

Cloud Wisdom (Beijing) Technology Co., Ltd. Deng Chao

Speaking of oauth3.0, I believe many people are already familiar with it and have been applied on many open platforms, such as Sina Weibo open platform, Tencent Weibo open platform, and so on. Below, I will briefly explain my personal understanding of Oauth3 and how Oauth3 is used on the monitoring treasure open platform.

What is Oauth3.0

Official definition:

OAuth (Open Authorization) is an open standard that allows third-party applications to access private resources stored by the user on a website without providing usernames and passwords to third-party applications.

OAuth allows users to provide a token rather than a username and password to access the data they store with a specific service provider. Each token authorizes a specific website to access specific resources for a specific period of time. In this way, OAuth allows users to authorize third-party websites to access some of the specific information they store in another service provider, rather than all the content.

OAuth 2.0 is the next version of the OAuth protocol, but it is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on the simplicity of client developers, while providing specialized authentication processes for Web applications, desktop applications and mobile phones, and living room devices.

Personal understanding:

Oauth3.0 is an Internet standard protocol (based on https) that allows users to share data across platforms.

For example, there are two platforms An and B, and there are some data resources on platform A. now platform B wants to get some data resources on platform A. if platform A supports Oauth3 protocol at this time, then platform B can request the corresponding data resources application from platform A through the protocol on platform B.

II. Authentication process of Oauth

OAuth sets up an authorization layer (authorization layer) between the "client" and the "resource server". The process is shown in the figure (from RFC 6749):

(a) the client issues an authorization request to the person to whom the resource belongs

(B) the owner of the resource agrees to grant authorization to the client

(C) the client requests a token from the authentication server after it is authorized

(d) the authentication server issues tokens to the client (Access Token)

(e) the "client" requests resources from the "resource server" through the token

(F) the "resource server" confirms that the token is correct and distributes resources to the "client"

As can be seen from the above steps, if the "client" wants to get the resource, the key point lies in the authorization of the person to whom the resource belongs. Only when the authorization is obtained can the next step be carried out.

Third, the authorization mode of Oauth3.0

OAuth 2.0 defines four authorization methods:

§A, Authorization Code Mode (authorization code)

The characteristic of Authorization Code Mode (authorization code) is to interact with the authentication server of the "service provider" through the background server of the client.

§B, simplified model (implicit)

Simplified mode (implicit grant type) applies for tokens directly from the authentication server in the browser without going through the server of the third-party application, skipping the step of "authorization code". All the steps are done in the browser, the token is visible to the visitor, and the client does not require authentication.

§C, cryptographic mode (resource owner passwordcredentials)

In password mode (Resource Owner Password Credentials Grant), the user provides his user name and password to the client. The client uses this information to ask the "service provider" for authorization.

§D, client mode (client credentials

Client mode (Client Credentials Grant) means that the client authenticates to the "service provider" in its own name, not in the name of the user.

Fourth, the application of Oauth3 in the monitoring treasure API platform.

At present, the API platform of monitor treasure is only developed for monitor treasure enterprise users, but not for all monitor treasure users. Based on this situation, the password authorization mode of Oauth is more suitable (Note: through the account and password, the platform can authenticate whether it is a monitoring treasure enterprise user, so as to determine whether to grant authorization), so we resolutely adopted this authorization method.

Monitor API platform simplifies the authorization process. The platform treats each enterprise account as a client and automatically generates a unique authorization ID for it, so each client can directly request a token from the platform authentication server, and then request resources from the platform resource server through the token. As shown in the figure (monitoring the authentication process of API platform):

For more information about the API platform, please refer to:

Http://www.jiankongbao.com/common/api_interface

About the author:

Deng Chao, Yun Wisdom Software Development engineer, graduated from Yanshan University in Qinhuangdao in 2010 and joined Yun Wisdom (Beijing) Technology Co., Ltd in early 2012. At present, it is mainly responsible for monitoring the optimization and R & D of the product structure of Bao.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.