OAuth2

oauth2

oauth2是authorization的开放的、工业化的标准。致力于提供明确的、简洁的认证流程

protocol flow

     +--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

A. client向resource owner请求授权

B. resource owner同意并返回authorization grant给client

C. client利用B中获取的授权向authorization server申请access token

D. authorization server同意并返回access token给client

E. client利用access token访问resource server申请获取resource

F. Resource server返回resource

Authorization Grant Types

oauth2定义了4种authorization grant types:

1.Authorization Code

授权码模式,是基于重定向的认证流程,功能最完整、流程最严密。client必须能够与user-agent(多为browser)交互并能够接收authorization server重定向回来的请求。

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

 

A. client将用户导向Authorization Server

B. user选择同意授权

C.Authorization Server将user-agent导向client事先指定的Redirection URI并附上Authorization Code

D.client利用Redirection URI和Authorization Code向Authorization Server申请token(此步骤用户不可见)

E.Authorization Server返回access token和refresh token

 

2.Implicit

简化模式,省略“authorization code”步骤,所有步骤在user agent中完成,令牌对访问者可见,且client不需要认证。

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier     +---------------+
     |         -+----(A)-- & Redirection URI --->|               |
     |  User-   |                                | Authorization |
     |  Agent  -|----(B)-- User authenticates -->|     Server    |
     |          |                                |               |
     |          |<---(C)--- Redirection URI ----<|               |
     |          |          with Access Token     +---------------+
     |          |            in Fragment
     |          |                                +---------------+
     |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
     |          |          without Fragment      |     Client    |
     |          |                                |    Resource   |
     |     (F)  |<---(E)------- Script ---------<|               |
     |          |                                +---------------+
     +-|--------+
       |    |
      (A)  (G) Access Token
       |    |
       ^    v
     +---------+
     |         |
     |  Client |
     |         |
     +---------+

A. client将用户导向Authorization Server

B. user选择同意授权

C. Authorization Server将user-agent导向client事先指定的Redirection URI并将access token附在URI的fragment部分。

D. client向 Web-Hosted Client Resource发出请求,该请求中不包括fragment

E. web-hosted client resource server返回一个网页,该网页包含有能够提取access token的script。

F. user-agent本地执行Web-Hosted Client Resource提供的script,提取access token

G. user-agent将access token传递给client

3.Resource Owner Password Credentials

 

密码模式,用户向客户端提供自己的用户名和密码。客户端使用这些信息,向"服务商提供商"索要授权。

虽然客户端不得存储密码,但不推荐使用。

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+

A. user将用户名/密码提供给client

B. client利用user/password向authorization server获取access token

C. authorization server返回access token和refresh token

 

4.Client Credentials

客户端模式,client事先向authorization sever注册,以client的名义向resource server请求resource,而不是以user的名义。

     +---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+

A. client向Authorization Server发送client authorization请求授权。

B. Authorization Server 返回access token

 

 

https://oauth.net/2/

https://jwt.io/

http://www.ruanyifeng.com/blog/2014/05/oauth_2_0.html

posted @ 2019-03-02 20:01  SEC.VIP_网络安全服务  阅读(110)  评论(0编辑  收藏  举报