理解 OAuth2 协议

OAuth2 协议

协议角色和流程

  1. 资源所有者(resource owner)
  2. 客户端/第三方应用(client)
  3. 资源服务器(resource server)
  4. 授权服务器(authorization server)
    +--------+                               +---------------+
    |        |--(A)- Authorization Request ->|   Resource    |
    |        |                               |     Owner     |
    |        |<-(B)-- Authorization Grant ---|               |
    |        |                               +---------------+
    |        |
    |        |                               +---------------+
    |        |--(C)-- Authorization Grant -->| Authorization |
    | Client |                               |     Server    |
    |        |<-(D)----- Access Token -------|               |
    |        |                               +---------------+
    |        |
    |        |                               +---------------+
    |        |--(E)----- Access Token ------>|    Resource   |
    |        |                               |     Server    |
    |        |<-(F)--- Protected Resource ---|               | 
    +--------+                               +---------------+

               Figure 1: Abstract Protocol Flow
OAuth2 协议

OAuth 授权

  • 应用名称
  • 应用网站
  • 重定向 URI 或回调 URL(redirect_uri)
  • 客户端标识 client_id
  • 客户端密钥 client_secret

授权所需信息

OAuth2 协议

OAuth 授权方式

     +----------+
     | Resource |
     |   Owner  |
     |          |
     +----------+
          ^
          |
         (B)
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)

授权码模式(authorization code)

OAuth2 协议

OAuth 授权方式

授权码模式(authorization code)参数

字段 描述
response_type 必须,固定为 code,表示这是一个授权码请求。
client_id 必须,在授权服务器注册应用后得到的唯一标识
redirect_uri 可选,通过客户端注册的重定向 URI(一般要求且与注册时一致)。
scope 可选,请求资源范围,多个空格隔开。
state 可选(推荐),如果存在,原样返回给客户端。
OAuth2 协议

OAuth 授权方式

 +--------+                                           +---------------+
 |        |--(A)------- Authorization Grant --------->|               |
 |        |                                           |               |
 |        |<-(B)----------- Access Token -------------|               |
 |        |               & Refresh Token             |               |
 |        |                                           |               |
 |        |                            +----------+   |               |
 |        |--(C)---- Access Token ---->|          |   |               |
 |        |                            |          |   |               |
 |        |<-(D)- Protected Resource --| Resource |   | Authorization |
 | Client |                            |  Server  |   |     Server    |
 |        |--(E)---- Access Token ---->|          |   |               |
 |        |                            |          |   |               |
 |        |<-(F)- Invalid Token Error -|          |   |               |
 |        |                            +----------+   |               |
 |        |                                           |               |
 |        |--(G)----------- Refresh Token ----------->|               |
 |        |                                           |               |
 |        |<-(H)----------- Access Token -------------|               |
 +--------+           & Optional Refresh Token        +---------------+

              Figure 2: Refreshing an Expired Access Token

Refresh Token

OAuth2 协议
 +----------+
 | Resource |
 |  Owner   |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier     +---------------+
 |         -+----(A)-- & Redirection URI --->|               |
 |  User-   |                                | Authorization |
 |  Agent  -|----(B)-- User authenticates -->|     Server    |
 |          |                                |               |
 |          |<---(C)--- Redirection URI ----<|               |
 |          |          with Access Token     +---------------+
 |          |            in Fragment
 |          |                                +---------------+
 |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
 |          |          without Fragment      |     Client    |
 |          |                                |    Resource   |
 |     (F)  |<---(E)------- Script ---------<|               |
 |          |                                +---------------+
 +-|--------+
   |    |
  (A)  (G) Access Token
   |    |
   ^    v
   +---------+
   |         |
   |  Client |
   |         |
   +---------+

                Figure 4: Implicit Grant Flow

简化模式(implicit grant)

OAuth2 协议

OAuth 授权方式

     +----------+
     | Resource |
     |  Owner   |
     |          |
     +----------+
          v
          |    Resource Owner
         (A) Password Credentials
          |
          v
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+

            Figure 5: Resource Owner Password Credentials Flow

密码模式

Resource Owner Password Credentials Grant

OAuth2 协议

OAuth 授权方式

     +---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+

                     Figure 6: Client Credentials Flow

客户端模式

(Client Credentials Grant)

OAuth2 协议

By biezhi

OAuth2 协议

  • 2,399