Shulou(Shulou.com)06/01 Report--

How to talk about OAuth2 in Spring Security, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

First of all, let's talk about a general introduction to OAuth3.

OAuth3 is an authorization protocol. It is mainly to simplify the work of client developers, while providing authorization processes for services that need authorization, including websites, desktops, app, Mini Program and so on. I moved several authorization modes from the official website:

Authorization code (Authorization Code)

Confidential and public clients use authenticator grant types to exchange authorization codes for access tokens. After the user returns to the client by redirecting the URL, the application gets the authorization code from the URL and uses it to request an access token.

Customer credential (Client Credentials)

The client uses the client Certificate grant type to obtain an access token outside the user's context. Clients usually use it to access resources about themselves, rather than to access users' resources.

Device Code (Device Code)

Devices without browsers or input restrictions in the device stream use the device code authorization type to exchange previously obtained device codes for access tokens. The device code authorization type value is urn:ietf:params:oauth:grant-type:device_code.

Refresh token (Refresh Token)

When an access token expires, the client uses the Refresh token grant type to swap the refresh token for an access token. This allows the client to continue to have a valid access token without further interaction with the user.

Password authorization (Implicit Flow)

The password grant type is a way to exchange user credentials for access tokens. Because the client application must collect the user's password and send it to the authorization server, it is no longer recommended to use this authorization. This process does not provide any mechanism for mechanisms such as multi-factor authentication or delegated accounts, so it is quite limited in practice.

The latest OAuth 2.0 security best practices completely prohibit password granting.

Implicit flow (Password Grant)

The Implicit stream is a simplified OAuth stream previously recommended for native and JavaScript applications, where native access tokens can immediately return access tokens without additional authorization code exchange steps. Implicit flow is not recommended (which is completely prohibited by some servers) because of the inherent risk of returning an access token in a HTTP redirect without confirming that the client has received the access token. Public clients, such as native and JavaScript applications, should now use the authorization code stream with the PKCE extension.

The two modes of password authorization and implicit flow are already legacy modes in the OAuth official website and are no longer recommended. But my Spring Security OAuth3 series will focus on password mode, so don't ask me why. Because I need to solve the login problem in our existing framework. So I will focus on password mode!

Personal understanding of OAuth3

Until I write here, maybe I have a newer understanding of OAuth3! According to the official introduction, OAuth3 should be a third-party authorization mechanism, which is somewhat similar to a module that can provide a public authorization mechanism. Therefore, in reality, this authorization module should have relative authority, or applications within a scope can request the same authorization module to use.

Well, should this authorization module also be an information system with at least user management functions, capable of identity authorization? after authorization, the authorization module allows this account to use certain functions.

But here's the problem. I wrote at the beginning of the article that we mainly build the login module of our system, and we don't need to authorize third-party applications for the time being. Is it necessary for us to introduce OAuth3 authorization mechanism into this system?

To tell you the truth, when I got to the previous line, I stopped to think for ten minutes. The system I mentioned in this article belongs to our core system, including the core business functions of the entire company. If we need to use third-party authorization when we expand other applications in the future, otherwise we will need to maintain a set of system users in each application. And we can also log in to this system through OAuth3, so there is no problem with using OAuth3.0.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.