oauth2.0笔记

2019独角兽企业重金招聘Python工程师标准>>>

 

规范地址：http://tools.ietf.org/html/rfc6749

1.oauth定义了4种角色：

资源所有者（resource owner）

资源服务器（resource server）

客户端 （ client ）

授权服务器（authorization server）

协议流：

+--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

2.客户注册

客户端在 授权服务器上注册 一个唯一的标识符。

客户端密码，用法

Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

3.协议接口

两个授权服务器接点：

• 授权接点  - 用于客户端通过用户去获取授权，必须核对资源所有者的身份
• Token接点 - 用于客户端通过授权去交换acess token

一个客户端口:

• 重定向接点

4获得授权

4.1 Authorization Code Gran

授权接口

HTTP请求方式

GET/POST

请求参数

	必选	类型及范围	说明
client_id	true	string	申请应用时分配的,客户标识ID
redirect_uri	false	string	授权回调地址，可申请应用的适合填好，或者动态的传值。
response_type	true	string	必须为:"code"
scope	false	string
state	可选	string	推荐, 用于保持请求和回调的状态，在回调时，会在Query Parameter中回传该参数。

例子：

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
  Host: server.example.com

返回数据

返回值字段	字段类型	字段说明
code	string	用于调用access_token，接口获取授权后的access token。
state	string	如果传递参数，会回传该参数。

例子：

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

token接口

HTTP请求方式

POST

请求参数

	必选	类型及范围	说明
client_id	true	string	申请应用时分配的,客户标识ID
redirect_uri	true	string	回调地址，需需与注册应用里的回调地址一致
grant_type	true	string	请求的类型，填写authorization_code
code	true		调用authorize获得的code值

例子：

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

4.2 Implicit Grant

response_type为"token"

4.3用户密码授权

access token request

参数：

grant_type
         REQUIRED.  Value MUST be set to "password".

   username
         REQUIRED.  The resource owner username.

   password
         REQUIRED.  The resource owner password.

   scope
         OPTIONAL.

例子：

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=password&username=johndoe&password=A3ddj3

An example successful response:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

4.4客户端授权(Client Credentials Grant)

流程：

+---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+

                     Figure 6: Client Credentials Flow

access token request：

grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

   scope
         OPTIONAL.

例子：

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=client_credentials

An example successful response:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "example_parameter":"example_value"
     }

4.5扩展(略)

5.Access Token

access token事例:

HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",     //必须
       "token_type":"example",                      //必须
       "expires_in":3600,                           //推荐
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",    //可选 "example_parameter":"example_value"

}

6.刷新Access Token

request参数

grant_type     必须,直必须为"refresh_token"

refresh_token  必须

scope          可选

事例:

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

参考：http://tools.ietf.org/html/rfc6750 

转载于:https://my.oschina.net/u/220934/blog/133537