Get started with the OAuth protocol easily with a case

Easy Getting Started with OAuth Protocol with a Case

OAuth (Open Authorization) is an open web standard for authorization that allows users to authorize third-party applications to access information they store on another service provider without providing a username and password to the third partyMobile apps or share everything about their data.OAuth is widely used all over the world and the current version is version 2.0.

Background

There is a program called "Credit Card Manager" (www.a.com), which can automatically read emails related to credit cards from NetEase cloud mailboxes, and then analyze and summarize them to form a report.

Password

How does "Credit Card Manager" access NetEase Cloud Mailbox?

• The user directly enters the account number and password, and then "Credit Card Manager" reads the content of the NetEase cloud mailbox

Problems arise?

• There is a trust problem: if you are just a small website, users will not dare to give you such important account and password information.

token

How does "Credit Card Manager" access NetEase Cloud Mailbox?(See the overall process below)

• The login interface provides a new entry, use the NetEase account to log in.After clicking, it will jump to NetEase's authentication system to log in, and then Netease's authentication system requires you to enter your username and password, and asks you whether to run "Credit Card Manager" to access your mailbox.
• After confirming, redirect to the "Credit Card Manager" website, and bring a token, you can access NetEase mailbox through API.
• Username and password will not be involved in the whole process.The token is issued by the NetEase Certification Center, which actually represents the user's authorization for the credit card manager to access the mailbox, so with this token, you can access your mailbox
  Overall process

How does NetEase trust the "Credit Card Manager"?

• You need to register the "Credit Card Manager" on NetEase, and NetEase will send a app_id and app_secret to the "Credit Card Manager".Redirect to NetEase, you need to send these things, so NetEase knows that the "Credit Card Manager" application is applying for authorization

How to store this token?

• The browser saves the token

• By means of hash fragment, bring this token parameter when requesting for example: www.a.com/callback#token=”

Why is it stored on the client side?

• In order to improve security: it will only stay on the browser side, only Javascript can access it, and it will not be sent to other servers through http request again

Questions?In step 6 on the figure, there will be security problems when the token is transmitted in the form of name text, which can be obtained through the browser's history record or access log.

authorization code + token

How to hide the token?

• Introduces an intermediate layer called Authorization Code.When the user logs in with the NetEase account, the NetEase Authentication Center will not directly send a token to the "Credit Card Manager" this time, but will send an authorization code,

• After the Credit Card Manager server gets this code, it will visit the NetEase Authentication Center again in the background, and this time the NetEase Authentication Center will issue the real token to the "Credit Card Manager".

  

Why is it designed this way?

• Through the returned authorization code, the token application process is 'secretly' completed in the server background, so the token browser can't touch it at all

The code is also transmitted in clear text, so there is no security problem code?

• The authorization code is associated with the app_id and app_secret applied by the credit card manager, only the token request issued by the credit card manager will be considered legitimate by the NetEase Authentication Center; the authorization code can also be limited in time, such as 5 minutes invalid, and the authorization code can only be changed to the token once, and the second time will not work

Summary

What this article is about is actually the three authentication methods in OAuth, in order:

1. Resource Owner Password Credentials Grant
2. Implicit Grant
3. Authorization Code Grant

There is another called Client credentials, which is used less and is not covered in this article.

In OAuth, there are several terms you can understand:

• Resource owner: the user above
• Resource Server: NetEase Mailbox
• Client: the credit card manager above
• Authorization Server: The NetEase Authentication Center above

References:
"Code Farmer Turning Over"