oauth2
oauth2是authorization的开放的、工业化的标准。致力于提供明确的、简洁的认证流程
protocol flow
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+A. client向resource owner请求授权
B. resource owner同意并返回authorization grant给client
C. client利用B中获取的授权向authorization server申请access token
D. authorization server同意并返回access token给client
E. client利用access token访问resource server申请获取resource
F. Resource server返回resource
Authorization Grant Types
oauth2定义了4种authorization grant types:
1.Authorization Code
授权码模式,是基于重定向的认证流程,功能最完整、流程最严密。client必须能够与user-agent(多为browser)交互并能够接收authorization server重定向回来的请求。
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)A. client将用户导向Authorization Server
B. user选择同意授权
C.Authorization Server将user-agent导向client事先指定的Redirection URI并附上Authorization Code
D.client利用Redirection URI和Authorization Code向Authorization Server申请token(此步骤用户不可见)
E.Authorization Server返回access token和refresh token
2.Implicit
简化模式,省略“authorization code”步骤,所有步骤在user agent中完成,令牌对访问者可见,且client不需要认证。
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI --->| |
| User- | | Authorization |
| Agent -|----(B)-- User authenticates -->| Server |
| | | |
| |<---(C)--- Redirection URI ----<| |
| | with Access Token +---------------+
| | in Fragment
| | +---------------+
| |----(D)--- Redirection URI ---->| Web-Hosted |
| | without Fragment | Client |
| | | Resource |
| (F) |<---(E)------- Script ---------<| |
| | +---------------+
+-|--------+
| |
(A) (G) Access Token
| |
^ v
+---------+
| |
| Client |
| |
+---------+A. client将用户导向Authorization Server
B. user选择同意授权
C. Authorization Server将user-agent导向client事先指定的Redirection URI并将access token附在URI的fragment部分。
D. client向 Web-Hosted Client Resource发出请求,该请求中不包括fragment
E. web-hosted client resource server返回一个网页,该网页包含有能够提取access token的script。
F. user-agent本地执行Web-Hosted Client Resource提供的script,提取access token
G. user-agent将access token传递给client
3.Resource Owner Password Credentials
密码模式,用户向客户端提供自己的用户名和密码。客户端使用这些信息,向"服务商提供商"索要授权。
虽然客户端不得存储密码,但不推荐使用。
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+A. user将用户名/密码提供给client
B. client利用user/password向authorization server获取access token
C. authorization server返回access token和refresh token
4.Client Credentials
客户端模式,client事先向authorization sever注册,以client的名义向resource server请求resource,而不是以user的名义。
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+A. client向Authorization Server发送client authorization请求授权。
B. Authorization Server 返回access token