Auth2

3 篇文章 0 订阅

 

 

1       INTRODUCTION

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

2       ABSTRACT PROTOCOL FLOW

3       GRANT TYPE

  • Authorization code
  • Implict
  • Resouce Owner Password Credentials (User Name / Password)
  • Client Credentials

3.1     Authorization Code

3.1.1   Senario

  • Public Network 
  • High Security

3.1.2  Application Registration

  • Application Name
  • Application Website
  • Redirect URI or Callback URL

3.1.3 Client ID and Client Secret

  • ID: App Identity
  • Secret: Private Key Between App and Auth API

3.1.4   FLow

3.1.5  Sample

3.2     Implict

The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed. The implicit grant type is also a redirection-based flow but the access token is given to the user-agent to forward to the application, so it may be exposed to the user and other applications on the user's device. Also, this flow does not authenticate the identity of the application, and relies on the redirect URI (that was registered with the service) to serve this purpose.

3.2.1   Senario

  • Local Network 
  • Low Security

3.2.2    FLow

3.3   Resource Owner Password Credentials

  • Highly Trusted

3.4   Client Credentials

  • No Frontend
  • Get token directly by client id and secret

4   Others     

4.1  Session Id and Token

Session Id list is maintained by server.  If there is load balance process. there is a sync problem.

But token not.

4.2 Token and Refresh token

There is an expired time. once it is expired. A new token can be renewed by refresh token.

4.3 Client registration

Ensure other app can't get access token even it gets illegally the auth code.

5   Q & A     

5.1   URL is protected by https?

Domain name is not so for it used to get ip address by DNS server.

But path is so.

5.2   Why is Local storage used?

The size is larger than cookie.

Also it is persistance.

5.3  Why is Implict Type used for token is in brower?

 It is used in low security network.

 https://***#token=? #token is not be sent to network.

 

 

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值