OAuth2 and OpenId 协议学习记录一
用identityserver4搭建了一个环境,通过浏览器分析了下整个协议流程
locahost:5003(资源), identityserver4使用的localhost:5001 (授权服务)
以下是从登录到授权的整个浏览器的请求记录,采用的授权模式是Authorization Code模式
1. 获取openid-configuration
url: http://localhost:5001/.well-known/openid-configuration
返回结果里包含各种参数:
2.访问授权端口
url: http://localhost:5001/connect/authorize
请求参数:
client_id: js
redirect_uri: http://localhost:5003/callback.html
response_type: code
scope: openid profile api_scope_1 myprofile
state: d455fa1b04284959840e858763c45f43
code_challenge: fDrZros9i7cftFa9lh0eR-g3i_eYyU0QM5PaaNriHxA
code_challenge_method: S256
response_mode: query
返回 302
Location:
http://localhost:5001/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Djs%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A5003%252Fcallback.html%26response_type%3Dcode%26scope%3Dopenid%2520profile%2520api_scope_1%2520myprofile%26state%3Dd455fa1b04284959840e858763c45f43%26code_challenge%3DfDrZros9i7cftFa9lh0eR-g3i_eYyU0QM5PaaNriHxA%26code_challenge_method%3DS256%26response_mode%3Dquery
3.访问登录页面
url:http://localhost:5001/Account/Login
请求参数:
ReturnUrl: /connect/authorize/callback?client_id=js&redirect_uri=http%3A%2F%2Flocalhost%3A5003%2Fcallback.html&response_type=code&scope=openid%20profile%20api_scope_1%20myprofile&state=d455fa1b04284959840e858763c45f43&code_challenge=fDrZros9i7cftFa9lh0eR-g3i_eYyU0QM5PaaNriHxA&code_challenge_method=S256&response_mode=query
4.输入用户名密码后验证
url:http://localhost:5001/Account/Login POST
返回 302 Location /connect/authorize/callback?client_id=js&redirect_uri=http%3A%2F%2Flocalhost%3A5003%2Fcallback.html&response_type=code&scope=openid%20profile%20api_scope_1%20myprofile&state=d455fa1b04284959840e858763c45f43&code_challenge=fDrZros9i7cftFa9lh0eR-g3i_eYyU0QM5PaaNriHxA&code_challenge_method=S256&response_mode=query
5.访问验证成功后的回调端口
url:
http://localhost:5001/connect/authorize/callback
请求参数:
client_id: js
redirect_uri: http://localhost:5003/callback.html
response_type: code
scope: openid profile api_scope_1 myprofile
state: d455fa1b04284959840e858763c45f43
code_challenge: fDrZros9i7cftFa9lh0eR-g3i_eYyU0QM5PaaNriHxA
code_challenge_method: S256
response_mode: query
返回 302 Location
http://localhost:5003/callback.html?code=0A667EB017A2FBCFFFB37244A3EFF590AA41F7DE318867D61656611E46825AFA&scope=openid%20profile%20api_scope_1%20myprofile&state=d455fa1b04284959840e858763c45f43&session_state=_1I4hK0TpuxJpEVbDZQpIHnW1hNK-Cp3BXDmSJn6HJY.0EA2FD09AF374E4C5AE6C60AAC168E0C
6.访问本地回调页面
url:http://localhost:5003/callback.html
请求参数:
code: 0A667EB017A2FBCFFFB37244A3EFF590AA41F7DE318867D61656611E46825AFA
scope: openid profile api_scope_1 myprofile
state: d455fa1b04284959840e858763c45f43
session_state: _1I4hK0TpuxJpEVbDZQpIHnW1hNK-Cp3BXDmSJn6HJY.0EA2FD09AF374E4C5AE6C60AAC168E0C
7.访问获取令牌端口
http://localhost:5001/connect/token
请求参数:
client_id: js
code: 0A667EB017A2FBCFFFB37244A3EFF590AA41F7DE318867D61656611E46825AFA
redirect_uri: http://localhost:5003/callback.html
code_verifier: 1af65c6b00d84f7b92f42d0275e3920feae3cc9a9da24bdebf9cd44c0212b887bf06b9b3a7b94b66a35839128fa71f0c
grant_type: authorization_code
返回结果
{
"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IkRCRUQyRDcwMzZENzUzOTRENkY4NTFFNjNERTM1RjQwIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1OTgwODI4NDgsImV4cCI6MTU5ODA4MzE0OCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiYXVkIjoianMiLCJpYXQiOjE1OTgwODI4NDgsImF0X2hhc2giOiJFQVNRQlcwZjBCYnVkUWZMRmhwM3RRIiwic19oYXNoIjoiR2pnRnFpTHZQdG0xTno0QlktWTdmQSIsInNpZCI6IjBGRTJDODE5NzJBQ0E5Rjg5QTc4Rjk4MjYzRTRCNThDIiwic3ViIjoiNzhhMTYyOWMtN2Y0OS00NjE1LTliYjEtOTVkOTE0MGNhYmIxIiwiYXV0aF90aW1lIjoxNTk4MDgyODQ4LCJpZHAiOiJsb2NhbCIsImFtciI6WyJwd2QiXX0.0eyiMAjK5LLevI6JWkMjIYqmwvkUlQbM84fcFON4eg7K4deShPpbCiRJibIn3iHc-GOgd5sloNM0z2JLIu05py7doKipZP7ywCQDyLo6ERgCma8gtg9w0jpajMLwYxb5isVu85rXc2uSKy7rlDl397IJiHbKRXqwV_NF_RurpHBofBq1F0cvJ1KLilTay0pqUoppgxrMYOi1Zj0yIivtm1hpvTq1p-UKXODFp-O9V3RqaqCoa_c0F0Z_6Yv_hHEygovyJI9nOcLtnpE74yswNOngoxhWvsLbz7XA_2_pVHQGT03sAssJjLYcoPjjJifuna558-qnVq8xKvXKStw_Yg",
"access_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6IkRCRUQyRDcwMzZENzUzOTRENkY4NTFFNjNERTM1RjQwIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE1OTgwODI4NDgsImV4cCI6MTU5ODA4MjkwOCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxIiwiYXVkIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAxL3Jlc291cmNlcyIsImNsaWVudF9pZCI6ImpzIiwic3ViIjoiNzhhMTYyOWMtN2Y0OS00NjE1LTliYjEtOTVkOTE0MGNhYmIxIiwiYXV0aF90aW1lIjoxNTk4MDgyODQ4LCJpZHAiOiJsb2NhbCIsInBlcm0iOlsib3JkZXJfY3JlYXRlIiwib3JkZXJfbW9kaWZ5Il0sImp0aSI6IkVFRkQyODUzMjhDRjVBM0VGODkyRUY2RDkyRERFQUNCIiwic2lkIjoiMEZFMkM4MTk3MkFDQTlGODlBNzhGOTgyNjNFNEI1OEMiLCJpYXQiOjE1OTgwODI4NDgsInNjb3BlIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJhcGlfc2NvcGVfMSIsIm15cHJvZmlsZSJdLCJhbXIiOlsicHdkIl19.xQox_Ld8Gy6ON4U4Bn_g_amUssBEQoZQkx-Hdy4HD_bwUHNSbhkoBZx9H5ZtjhHk32zenVWQvXC661m8DNLWwr4frWS4in02D4PalIpGYBFkLCDBX12Q36r1GxUfnJD_ZLJYx0Js1kGKqc-lZqGF88zPapJLu7h5fhYT-9QR6_8FKVKrSmpBa_3lHs7haoEbjtK_6-W-j1_U25Y17HXwOCD-C_VDR-rg3rAUbIyLp_4pTT0uFHrI1mUDxDTwHfA79e3q_sDng9j0zGLt9G-IOygs_I4P7gZ_GDTlyCxXDMC3X5WQNkS-_FGQxEx6pUugipTmyWs2VFeI0okFfRIr3g",
"expires_in":60,
"token_type":"Bearer",
"scope":"openid profile api_scope_1 myprofile"
}
8.访问获取用户信息端口
http://localhost:5001/connect/userinfo
Authorization: Bearer [AccessToken]
返回结果:
{"name":"myname","perm":["order_create","order_modify"],"sub":"422c9c45-002e-4761-b681-89cfd6efad5f"}