Shulou(Shulou.com)06/03 Report--

What is OAuth 2.0? I believe that many inexperienced people are at a loss about this, so this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

OAuth3.0 is a continuation of the OAuth protocol, but it is not forward compatible with OAuth 1.0. OAuth3.0 focuses on the simplicity of client developers, either by organizing approved interactions between resource owners and HTTP service providers to represent users, or to allow third-party applications to gain access on behalf of users.

OAuth3.0 is a continuation of the OAuth protocol, but is not forward compatible with OAuth 1.0 (that is, it completely abolishes OAuth2.0). OAuth 2. 0 focuses on the simplicity of client developers. Either represent the user by organizing the approved interaction between the resource owner and the HTTP service provider, or allow third-party applications to gain access on behalf of the user. At the same time, it provides a special certification process for Web applications, desktop applications and mobile phones, and living room devices. In October 2012, the OAuth 2.0 protocol was officially released as RFC 6749.

Foreword:

OAuth 1.0 is already in IETF (Internet Engineering Task Force) under the serial number RFC5849.

This also marks that OAuth has officially become an Internet standard protocol.

OAuth 2.0 has already begun to discuss and build the draft. OAuth3.0 is likely to be the next generation of user authentication and authorization standards. Now most open platforms, such as Baidu Open platform and Tencent Open platform, are supported by OAuth 2.0 protocol.

OAuth (Open Authorization) is an open standard that allows third-party applications to access private resources (such as photos, videos, contact lists) stored by the user on a website without providing usernames and passwords to third-party applications.

OAuth

Allows users to provide a token instead of a username and password to access the data they store with a specific service provider. Each token authorizes a specific website (for example, a video editing site) to access specific resources (for example, just videos in a photo album) for a specific period of time (for example, within the next 2 hours). In this way, OAuth allows users to authorize third-party websites to access information they store on another service provider without sharing their access licenses or all the content of their data.

OAuth is a supplement to OpenID, but a completely different service.

OAuth 2.0

Is the next version of the OAuth protocol, but is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on the simplicity of client developers, while providing specialized authentication processes for Web applications, desktop applications and mobile phones, and living room devices. In October 2012, OAuth 2.0 protocol was officially released as RFC 6749 [1].

Facebook's new Graph API only supports OAuth 2.0. Google also announced Google API support for OAuth 2.0 in March 2011.

Authentication and authorization process:

The three parties involved in the authentication and authorization process include:

1. Service provider, users use service provider to store protected resources, such as photos, videos, contact lists.

2. The user, the owner of the protected resources stored with the service provider.

3. Client, a third-party application that accesses the resources of the service provider, usually a website, such as a website that provides photo printing services. Before the authentication process, the client should apply for the client identity from the service provider.

The process for authentication and authorization using OAuth is as follows:

The user wants to manipulate the resources stored in the service provider.

The user logs in to the client to request a temporary token from the provider.

After verifying the identity of the client, the service provider grants a temporary token.

After obtaining a temporary token, the client directs the user to the provider's authorization page to request user authorization. During this process, the temporary token and the client's callback connection are sent to the service provider.

The user enters a user name and password on the service provider's web page and then authorizes the client to access the requested resource.

After the authorization is successful, the service provider guides the user back to the client's web page.

The client obtains the access token from the service provider based on the temporary token.

The service provider grants the client an access token based on the temporary token and the authorization of the user.

The client uses the acquired access token to access protected resources stored on the service provider.

A brief historical review

OAuth 1.0 was released at the end of December 2007 and quickly became an industry standard.

In June 2008, OAuth 1.0 Revision A, a revised version with minor modifications, was released to fix a security vulnerability.

In April 2010, OAuth 1.0 was finally released in IETF under the agreement number RFC 5849.

The draft of OAuth 2.0 was released in IETF in early May 2011.

OAuth is a security protocol that enables users to grant third-party access to their web resources without sharing their passwords.

OAuth is a security-related protocol that enables users to authorize third-party applications to access their web resources without revealing their passwords to third-party applications.

OAuth 2.0 is a completely new protocol and is not backward compatible with previous versions. However, OAuth 2.0 retains the same overall architecture as the previous version of OAuth.

The draft revolves around the needs and goals of OAuth3.0 after a year-long discussion with participants from various well-known companies in the industry, including Yahooqi, Facebook, Salesforce, Microsoft, Twitter, Deutsche Telekom, Intuit, Mozilla, and Google.

New features of OAuth 2.0:

6 new processes

User-Agent Flow-the client runs within a user agent (typically a web browser).

Web Server Flow-the client is part of the web server program and is accessed through http request, which is a simplified version of the process provided by OAuth 1.0.

Device Flow-for browsers where the client performs operations on a restricted device, but the end user accesses another computer or device separately

Username and Password Flow-the application scenario of this process is that the user trusts the client to process the identity credentials, but still does not want the client to store their user name and password, which applies only if the user has a high degree of trust in the client.

Client Credentials Flow-the client uses its identity credentials to obtain access token, a process that supports 2-legged OAuth scenarios.

Assertion Flow-the client uses assertion for access token, such as SAML assertion.

OAuth support for Native applications can be achieved by using a variety of processes above (programs run on desktop operating systems or mobile devices)

Application support (applications running on a desktop or mobile device) can be implemented using many of the flows above.

Bearer token

OAuth 2.0 provides an authentication method without encryption, which is based on the existing cookie authentication architecture, and token itself sends itself as secret over HTTPS, replacing the way it is encrypted and sent through HMAC and token secret, which will allow APIcall and other simple scripting tools to be initiated using cURL without following the original request method and signing.

Signature simplification:

For signature support, the signature mechanism is greatly simplified and does not require special parsing, coding, and sorting of parameters. Replace the two previous secret with one secret.

Short-term token and long-term identity credentials

The original OAuth would issue a token with a very long validity period (typically one year or no expiration date). In OAuth 2.0, server would issue a short-term access token and a long-lived refresh token. This allows the client to obtain a new access token without the need for the user to do it again, and also limits the validity of the access token.

Separation of roles

OAuth 2.0 will be divided into two roles:

Authorization server is responsible for obtaining the user's authorization and publishing the token.

Resource is responsible for handling API calls.

After reading the above, have you mastered what is the method of OAuth 2.0? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.