1. Service provider. Users use service providers to store protected resources, such as photos, videos and contact lists.
2. The user is the owner of the protected resource stored at the service provider.
3. Client, a third-party application that wants to access the service provider's resources, usually a website, such as a website that provides photo printing services. Before the authentication process, the customer should apply to the service provider for customer identity.
The process of authentication and authorization using OAuth is as follows:
The user wants to operate the resources stored in the service provider.
The user login client requests a temporary token from the service provider.
After the service provider verifies the identity of the client, it will grant a temporary token.
After the client obtains the temporary token, it will direct the user to the authorization page of the service provider and request the user's authorization. In this process, the client's temporary token and callback connection are sent to the service provider.
The user enters the user name and password on the service provider's webpage, and then authorizes the client to access the requested resource.
After the authorization is successful, the service provider guides the user back to the webpage of the client.
The client obtains the access token from the service provider according to the temporary token.
The service provider grants the client access token according to the temporary token and the authorization of the user.
The client uses the obtained access token to access the protected resources stored on the service provider. OAuth 1.0 was released at the end of February 2007 and quickly became an industrial standard.
In June, 2008, OAuth 1.0 Revision A was released, which is a slightly modified version, mainly to fix a security vulnerability.
20 10 in April, OAuth 1.0 was finally released in IETF with the protocol number RFC 5849.
The draft of OAuth 2.0 was released in IETF in early May of 20 1 1.
OAuth is a security protocol that enables users to authorize third parties to access their web resources without sharing their passwords.
OAuth is a security-related protocol, which enables users to authorize third-party applications to access users' web resources without revealing their passwords to third-party applications.
OAuth 2.0 is a brand-new protocol, which is not backward compatible with previous versions. However, OAuth 2.0 retains the same overall architecture as the previous version of OAuth.
This draft is based on the needs and objectives of OAuth2.0. After a year-long discussion, the participants came from various well-known companies in the industry, including Yahoo! , Facebook, Salesforce, Microsoft, Twitter, Deutsche Telekom, Intuit, Mozilla and Google.
A new feature of OAuth 2.0: user agent process-the client runs in a user agent (usually a web browser).
Web server process–The client is a part of the Web server program, accessed through http request, which is a simplified version of the process provided by OAuth 1.0.
Device Streaming–It is suitable for clients to perform operations on restricted devices, but the end user accesses the browser of another computer or device separately.
User name and password flow-The application scenario of this process is that the user trusts the client to process identity credentials, but still does not want the client to store his user name and password. This procedure is only applicable if the user has high trust in the client.
Client credential flow–Clients apply their identity credentials to obtain access tokens, which supports two-legged OAuth scenarios.
Assertion stream-Clients exchange access tokens with assertions, such as SAML assertions.
Native applications can support OAuth by using the above processes (programs running on desktop operating systems or mobile devices).
Application support (applications running on desktop or mobile devices) can be achieved using many of the above processes.
Bearer token
OAuth 2.0 provides an unencrypted authentication method, which is based on the existing cookie authentication architecture. Token sends itself as a secret through HTTPS, thus replacing the encrypted sending method through HMAC and token secret, which will allow cURL to start APIcall and other simple scripting tools without following the original request method and signature.
Signature simplification:
For signature support, the signature mechanism is greatly simplified, and no special parsing, coding and sorting parameters are needed. Replace the original two secrets with one secret.
Short-term token and long-term identity certificate
The original OAuth will issue a token with a long validity period (usually one year or no validity limit). In OAuth 2.0, the server will issue an access token with a short validity period and a refresh token with a long lifetime. This will allow the client to obtain a new access token without the user's operation again, and also limit the validity period of the access token.
Role separation
OAuth 2.0 will be divided into two roles:
The authorization server is responsible for obtaining the authorization of users and issuing tokens.
Resources are responsible for handling API calls.