Shulou(Shulou.com)06/02 Report--

How to understand the concept of oauth2.0? in view of this problem, this article introduces the corresponding analysis and solutions in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

OAuth 2.0 is the most popular authorization mechanism at present, which is used to authorize third-party applications and obtain user data.

This standard is abstract and uses a lot of terms, which is not easy for beginners to understand. In fact, it is not complicated to say, I will use a simple analogy to help you easily understand what OAuth 2.0 is.

I live in a large residential area.

The community has an access control system.

You need to enter a password when entering.

I often shop online and take out food, and couriers deliver the goods every day. I have to find a way to get couriers into the community through the access control system.

I often shop online and take out food, and couriers deliver the goods every day. I have to find a way to get couriers into the community through the access control system.

If I give my password to the courier, he will have the same permissions as mine, which does not seem appropriate. In case I want to cancel his right to enter the community, it is also troublesome, I have to change my own password, and I have to notify other couriers.

Is there a way for couriers to enter the community freely without knowing the passwords of the residents, and his only authority is to deliver goods, and he does not have permission for other occasions where passwords are needed?

Second, the design of authorization mechanism

Therefore, I designed a set of authorization mechanism.

The first step is to add a button called "get authorization" under the password input of the access control system. Couriers need to press this button first to apply for authorization.

The second step, after he presses the button, the owner's phone (that is, me) will pop up the dialog box: someone is asking for authorization. The system will also display the courier's name, job number and delivery company to which he belongs.

I confirmed that the request was true, so I clicked the button and told the access control system that I agreed to give him authorization to enter the community.

In the third step, after my confirmation, the access control system displays a token to enter the community (access token) to the courier. A token is a string of numbers similar to a password that is valid only for a short period of time (such as seven days).

In the fourth step, the courier enters the token into the access control system and enters the community.

One might ask, why not open the door for the courier remotely, but generate a separate token for him? This is because the courier may deliver goods every day, and he can reuse the token the next day. In addition, some communities have multiple access controls, and couriers can use the same token to pass them.

III. Internet scenarios

We moved the above example to the Internet, which is the design of OAuth.

First of all, a residential area is a network service that stores user data. For example, Wechat stores my friend information, and to get this information, you have to go through Wechat's "access control system".

Second, couriers (or express companies) are third-party applications that want to go through the access control system and enter the community.

Finally, I am the user himself and agree to authorize third-party applications to enter the community and obtain my data.

To put it simply, OAuth is an authorization mechanism. The owner of the data told the system that it agreed to authorize third-party applications to enter the system and obtain the data. The system thus generates a short-term entry token (token), which is used instead of the password for use by third-party applications.

Tokens and passwords

Tokens (token) and passwords (password) have the same function, and both can enter the system, but there are three differences.

(1) the token is short-term, expires automatically, and cannot be modified by the user. Passwords are generally valid for a long time, and users will not change them if they do not change them.

(2) the token can be revoked by the data owner and will expire immediately. In the above example, the homeowner can cancel the courier's token at any time. Passwords are generally not allowed to be revoked by others.

(3) tokens have scope of authority (scope), for example, they can only enter the No.2 gate of the community. For network services, read-only tokens are more secure than read-write tokens. Passwords are usually full permissions.

The above designs ensure that the token can not only give access to third-party applications, but also can be controlled at any time, and will not endanger the security of the system. This is the advantage of OAuth 2.0.

Note that as long as you know the token, you can enter the system. The system generally does not reconfirm the identity, so tokens must be kept secret, and the consequences of leaking tokens are the same as leaking passwords. This is why the validity period of tokens is generally set to be very short.

OAuth 2. 0 specifies in great detail how tokens are issued. Specifically, there are four types of authorization (authorization grant), that is, four ways to issue tokens, which are suitable for different Internet scenarios.

The answer to the question on how to understand the concept of oauth2.0 is shared here. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.