oauth认证是提供用户,平台和第三方开发者的认证协议.类似于cas,但是实际的认证工作由第三方开发者提供.
优点:
用户避免了跨服务的注册流程,简化操作;
平台简化用户操作,有利于吸引用户,只提供核心服务,拓展了生态,增强了流量;
第三方开发者,拓展了业务能力,相当于增强了自己的业务范围,增强了自身服务影响力;
角色
client, authorization server, resource server, and resource owner
client:第三方客户端
resource owner:用户
resource server:用户访问的api
authorization server:用于判断用户是否被允许访问 resource server的服务.它可以和resource server是一个服务.但是大规模部署中,它常常是独立的服务.
服务注册
认证服务的前置流程.
-
注册认证服务的基本信息
application name, website, logo,等
-
配置重定向路径
redirect URI(web server, browser-based, or mobile apps)
-
分配Client ID 和Secret
认证服务的核心来源标识,用于服务识别
认证
- 认证模式
Authorization Code for apps running on a web server, browser-based and mobile apps
Password for logging in with a username and password (only for first-party apps)
Client credentials for application access without a user present
Implicit was previously recommended for clients without a secret, but has been superseded by using the Authorization Code grant with PKCE.
Web Server Apps认证
web服务应用认证,它因为是源码对外不可见,所以使用scret方式认证.
web server apps auth 流程
认证流程:
- client进行认证
- user授权
- authorization server分发访问token
请求格式:
client进行认证
https://authorization-server.com/auth?response_type=code&
client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx
response_type=code - Indicates that your server expects to receive an authorization code
client_id - The client ID you received when you first created the application
redirect_uri - Indicates the URI to return the user to after authorization is complete
scope - One or more scope values indicating which parts of the user's account you wish to access
state - A random string generated by your application, which you'll verify later
用户授权后,认证服务返回认证码
https://example-app.com/cb?code=AUTH_CODE_HERE&state=1234zyx
code - The server returns the authorization code in the query string
state - The server returns the same state value that you passed
获取访问token
POST https://api.authorization-server.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET
grant_type=authorization_code - The grant type for this flow is authorization_code
code=AUTH_CODE_HERE - This is the code you received in the query string
redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
client_id=CLIENT_ID - The client ID you received when you first created the application
client_secret=CLIENT_SECRET - Since this request is made from server-side code, the secret is included
单页面应用和移动端
单页面应用和移动端是源码对外可见的,所以不能使用scret方式来进行认证,这里使用每次进行认证申请时自己生成单次请求密钥,密钥生产方式采用 PKCE.该方式的核心是不进行密钥校验,只要用户认可该请求则进行密钥分发.而用于认证和分发token是两次rest请求,则需要判断是否是同一个请求,这里就通过PKCE来实现.
PKCE是一种密钥生成方式,它对长度为43-128的随机字符串进行SHA256 hash后进行base64编码,生成一个字符串,作为请求密钥.拥有该密钥则认为是相同请求.
- client申请认证
https://authorization-server.com/auth?response_type=code&
client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=photos&state=1234zyx&code_challenge=CODE_CHALLENGE&code_challenge_method=S256
response_type=code - Indicates that your server expects to receive an authorization code
client_id - The client ID you received when you first created the application
redirect_uri - Indicates the URI to return the user to after authorization is complete
scope - One or more scope values indicating which parts of the user's account you wish to access
state - A random string generated by your application, which you'll verify later
code_challenge - The URL-safe base64-encoded SHA256 hash of the secret
code_challenge_method=S256 - Indicate which hashing method you used (S256)
- 用户授权后,认证服务返回认证码
https://example-app.com/cb?code=AUTH_CODE_HERE&state=1234zyx
- client使用认证码和认证请求时生成的PKCE密钥(code_challenge)获取访问token
POST https://api.authorization-server.com/token
grant_type=authorization_code&
code=AUTH_CODE_HERE&
redirect_uri=REDIRECT_URI&
client_id=CLIENT_ID&
code_verifier=CODE_VERIFIER
grant_type=authorization_code - The grant type for this flow is authorization_code
code=AUTH_CODE_HERE - This is the code you received in the query string
redirect_uri=REDIRECT_URI - Must be identical to the redirect URI provided in the original link
client_id=CLIENT_ID - The client ID you received when you first created the application
code_verifier=CODE_VERIFIER - code_challenge
密码方式
只适合内部服务的web和mobile,因为需要获取后端服务存储的密码信息.
认证流程
- 输入用户名,密码请求授权
- 分发访问token.
application访问
将应用作为一种特殊的用户,它直接使用注册的client_id,client_secret就可以换取访问token
POST https://api.authorization-server.com/token
grant_type=client_credentials&
client_id=CLIENT_ID&
client_secret=CLIENT_SECRET