• OAuth2

    oauth认证是提供用户,平台和第三方开发者的认证协议.类似于cas,但是实际的认证工作由第三方开发者提供.

    优点:

    用户避免了跨服务的注册流程,简化操作;
平台简化用户操作,有利于吸引用户,只提供核心服务,拓展了生态,增强了流量;
第三方开发者,拓展了业务能力,相当于增强了自己的业务范围,增强了自身服务影响力;

    角色

    client, authorization server, resource server, and resource owner

    client:第三方客户端
    resource owner:用户
    resource server:用户访问的api
    authorization server:用于判断用户是否被允许访问 resource server的服务.它可以和resource server是一个服务.但是大规模部署中,它常常是独立的服务.

    服务注册

    认证服务的前置流程.

    • 注册认证服务的基本信息

      application name, website, logo,等

    • 配置重定向路径

      redirect URI(web server, browser-based, or mobile apps)

    • 分配Client ID 和Secret

      认证服务的核心来源标识,用于服务识别

    认证

    • 认证模式
    Authorization Code for apps running on a web server, browser-based and mobile apps
Password for logging in with a username and password (only for first-party apps)
Client credentials for application access without a user present
Implicit was previously recommended for clients without a secret, but has been superseded by using the Authorization Code grant with PKCE.

    Web Server Apps认证

    web服务应用认证,它因为是源码对外不可见,所以使用scret方式认证.

    web server apps auth 流程

    认证流程:

    1. client进行认证
    2. user授权
    3. authorization server分发访问token

    请求格式:

    client进行认证

    https://authorization-server.com/auth?response_type=code&
  client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx

response_type=code - Indicates that your server expects to receive an authorization code
client_id - The client ID you received when you first created the application
redirect_uri - Indicates the URI to return the user to after authorization is complete
scope - One or more scope values indicating which parts of the user's account you wish to access
state - A random string generated by your application, which you'll verify later

    用户授权后,认证服务返回认证码

    https://example-app.com/cb?code=AUTH_CODE_HERE&state=1234zyx

code - The server returns the authorization code in the query string
state - The server returns the same state value that you passed

    获取访问token

    POST https://api.authorization-server.com/token
  grant_type=authorization_code&
  code=AUTH_CODE_HERE&
  redirect_uri=REDIRECT_URI&
  client_id=CLIENT_ID&
  client_secret=CLIENT_SECRET

grant_type=authorization_code - The grant type for this flow is authorization_code
code=AUTH_CODE_HERE - This is the code you received in the query string
redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
client_id=CLIENT_ID - The client ID you received when you first created the application
client_secret=CLIENT_SECRET - Since this request is made from server-side code, the secret is included

    单页面应用和移动端

    单页面应用和移动端是源码对外可见的,所以不能使用scret方式来进行认证,这里使用每次进行认证申请时自己生成单次请求密钥,密钥生产方式采用 PKCE.该方式的核心是不进行密钥校验,只要用户认可该请求则进行密钥分发.而用于认证和分发token是两次rest请求,则需要判断是否是同一个请求,这里就通过PKCE来实现.

    PKCE是一种密钥生成方式,它对长度为43-128的随机字符串进行SHA256 hash后进行base64编码,生成一个字符串,作为请求密钥.拥有该密钥则认为是相同请求.

    • client申请认证
    https://authorization-server.com/auth?response_type=code&
  client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx&code_challenge=CODE_CHALLENGE&code_challenge_method=S256

response_type=code - Indicates that your server expects to receive an authorization code
client_id - The client ID you received when you first created the application
redirect_uri - Indicates the URI to return the user to after authorization is complete
scope - One or more scope values indicating which parts of the user's account you wish to access
state - A random string generated by your application, which you'll verify later
code_challenge - The URL-safe base64-encoded SHA256 hash of the secret
code_challenge_method=S256 - Indicate which hashing method you used (S256)
    • 用户授权后,认证服务返回认证码
    https://example-app.com/cb?code=AUTH_CODE_HERE&state=1234zyx
    • client使用认证码和认证请求时生成的PKCE密钥(code_challenge)获取访问token
    POST https://api.authorization-server.com/token
  grant_type=authorization_code&
  code=AUTH_CODE_HERE&
  redirect_uri=REDIRECT_URI&
  client_id=CLIENT_ID&
  code_verifier=CODE_VERIFIER

  grant_type=authorization_code - The grant type for this flow is authorization_code
code=AUTH_CODE_HERE - This is the code you received in the query string
redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
client_id=CLIENT_ID - The client ID you received when you first created the application
code_verifier=CODE_VERIFIER - code_challenge

    密码方式

    只适合内部服务的web和mobile,因为需要获取后端服务存储的密码信息.

    认证流程

    1. 输入用户名,密码请求授权
    2. 分发访问token.

    application访问

    将应用作为一种特殊的用户,它直接使用注册的client_id,client_secret就可以换取访问token

    POST https://api.authorization-server.com/token
    grant_type=client_credentials&
    client_id=CLIENT_ID&
    client_secret=CLIENT_SECRET

    参考资料

    aaronparecki.com/oauth

    喜欢关注一下,不喜欢点评一下
  • 相关阅读:
    PHP微信公众号支付,JSAPI支付方法,ThinkPHP5+微信支付
    PHP微信扫码支付DEMO,thinkphp5+微信支付
    解决vue axios跨域请求发送两次问题
    解决navicat远程连接mysql很卡的问题
    GIT的工作原理和基本命令
    简单好用的网站压力测试工具
    vscode中让html中php代码高亮
    redis的安装及使用总结
    tp32-layuicms项目介绍
    vscode Vue格式化HTML标签换行问题
  • 原文地址:https://www.cnblogs.com/chengmuyu/p/15056187.html
Copyright © 2020-2023  润新知