规范地址:http://tools.ietf.org/html/rfc6749
1.oauth定义了4种角色:
例子:
例子:
资源所有者(resource owner)
资源服务器(resource server)
客户端
(
client
)
授权服务器(authorization server)
协议流:
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
2.客户注册
客户端在
授权服务器上注册
一个唯一的标识符。
客户端密码,用法
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
3.协议接口
两个授权服务器接点:
- 授权接点 - 用于客户端通过用户去获取授权,必须核对资源所有者的身份
- Token接点 - 用于客户端通过授权去交换acess token
一个客户端口:
- 重定向接点
4获得授权
4.1
Authorization Code Gran
授权接口
HTTP请求方式
GET/POST
请求参数
必选 | 类型及范围 | 说明 | |
---|---|---|---|
client_id | true | string | 申请应用时分配的,客户标识ID |
redirect_uri | false | string | 授权回调地址,可申请应用的适合填好,或者动态的传值。 |
| true | string | 必须为:"code" |
scope |
false
| string | |
state | 可选 | string | 推荐, 用于保持请求和回调的状态,在回调时,会在Query Parameter中回传该参数。 |
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
返回数据
返回值字段 | 字段类型 | 字段说明 |
---|---|---|
code | string | 用于调用access_token,接口获取授权后的access token。 |
state | string | 如果传递参数,会回传该参数。 |
例子:
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
token接口
HTTP请求方式
POST
请求参数
必选 | 类型及范围 | 说明 | |
---|---|---|---|
client_id | true | string |
申请应用时分配的,客户标识ID
|
| true | string | 回调地址,需需与注册应用里的回调地址一致 |
grant_type | true | string | 请求的类型,填写authorization_code |
code | true | | 调用authorize获得的code值 |
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
4.2 Implicit Grant
response_type为"token"
4.3用户密码授权
access token request
参数:
grant_type
REQUIRED. Value MUST be set to "password".
username
REQUIRED. The resource owner username.
password
REQUIRED. The resource owner password.
scope
OPTIONAL.
例子:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=johndoe&password=A3ddj3
An example successful response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
4.4客户端授权(Client Credentials Grant)
流程:
+---------+ +---------------+
| | | |
| |>--(A)- Client Authentication --->| Authorization |
| Client | | Server |
| |<--(B)---- Access Token ---------<| |
| | | |
+---------+ +---------------+
Figure 6: Client Credentials Flow
access token request:
grant_type
REQUIRED. Value MUST be set to "client_credentials".
scope
OPTIONAL.
例子:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
An example successful response:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
4.5扩展(略)
5.Access Token
access token事例:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA", //必须
"token_type":"example", //必须
"expires_in":3600, //推荐
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", //可选 "example_parameter":"example_value"
}
6.刷新Access Token
request参数
grant_type 必须,直必须为"refresh_token"
refresh_token 必须
scope 可选
事例:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
参考:http://tools.ietf.org/html/rfc6750