187 lines
481 KiB
HTML
187 lines
481 KiB
HTML
|
<!DOCTYPE html>
|
|||
|
<html lang="zh"><head><title>OAuth 鉴权</title><meta charset="utf-8"/><link rel="preconnect" href="https://fonts.googleapis.com"/><link rel="preconnect" href="https://fonts.gstatic.com"/><link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=IBM Plex Mono&family=Noto Serif Simplified Chinese:wght@400;700&family=Source Sans Pro:ital,wght@0,400;0,600;1,400;1,600&display=swap"/><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta property="og:title" content="OAuth 鉴权"/><meta property="og:description" content="OAuth 鉴权."/><meta property="og:image" content="https://wiki.7wate.com/static/og-image.png"/><meta property="og:width" content="1200"/><meta property="og:height" content="675"/><link rel="icon" href="../../../../static/icon.png"/><meta name="description" content="OAuth 鉴权."/><meta name="generator" content="Quartz"/><link href="../../../../index.css" rel="stylesheet" type="text/css" spa-preserve/><link href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.16.9/katex.min.css" rel="stylesheet" type="text/css" spa-preserve/><script src="../../../../prescript.js" type="application/javascript" spa-preserve></script><script type="application/javascript" spa-preserve>const fetchData = fetch("../../../../static/contentIndex.json").then(data => data.json())</script></head><body data-slug="Technology/ComputerSecurity/用户安全/用户鉴权/OAuth-鉴权"><div id="quartz-root" class="page"><div id="quartz-body"><div class="left sidebar"><h2 class="page-title"><a href="../../../..">🪴 X·Eden</a></h2><div class="spacer mobile-only"></div><div class="search"><button class="search-button" id="search-button"><p>搜索</p><svg role="img" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 19.9 19.7"><title>Search</title><g class="search-path" fill="none"><path stroke-linecap="square" d="M18.5 18.3l-5.4-5.4"></path><circle cx="8" cy="8" r="7"></circle></g></svg></button><div id="search-container"><div id="search-space"><input autocomplete="off" id="search-bar" name="search" type="text" aria-label="搜索些什么" placeholder="搜索些什么"/><div id="search-layout" data-preview="true"></div></div></div></div><button class="darkmode" id="darkmode"><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="dayIcon" x="0px" y="0px" viewBox="0 0 35 35" style="enable-background:new 0 0 35 35" xml:space="preserve" aria-label="暗色模式"><title>暗色模式</title><path d="M6,17.5C6,16.672,5.328,16,4.5,16h-3C0.672,16,0,16.672,0,17.5 S0.672,19,1.5,19h3C5.328,19,6,18.328,6,17.5z M7.5,26c-0.414,0-0.789,0.168-1.061,0.439l-2,2C4.168,28.711,4,29.086,4,29.5 C4,30.328,4.671,31,5.5,31c0.414,0,0.789-0.168,1.06-0.44l2-2C8.832,28.289,9,27.914,9,27.5C9,26.672,8.329,26,7.5,26z M17.5,6 C18.329,6,19,5.328,19,4.5v-3C19,0.672,18.329,0,17.5,0S16,0.672,16,1.5v3C16,5.328,16.671,6,17.5,6z M27.5,9 c0.414,0,0.789-0.168,1.06-0.439l2-2C30.832,6.289,31,5.914,31,5.5C31,4.672,30.329,4,29.5,4c-0.414,0-0.789,0.168-1.061,0.44 l-2,2C26.168,6.711,26,7.086,26,7.5C26,8.328,26.671,9,27.5,9z M6.439,8.561C6.711,8.832,7.086,9,7.5,9C8.328,9,9,8.328,9,7.5 c0-0.414-0.168-0.789-0.439-1.061l-2-2C6.289,4.168,5.914,4,5.5,4C4.672,4,4,4.672,4,5.5c0,0.414,0.168,0.789,0.439,1.06 L6.439,8.561z M33.5,16h-3c-0.828,0-1.5,0.672-1.5,1.5s0.672,1.5,1.5,1.5h3c0.828,0,1.5-0.672,1.5-1.5S34.328,16,33.5,16z M28.561,26.439C28.289,26.168,27.914,26,27.5,26c-0.828,0-1.5,0.672-1.5,1.5c0,0.414,0.168,0.789,0.439,1.06l2,2 C28.711,30.832,29.086,31,29.5,31c0.828,0,1.5-0.672,1.5-1.5c0-0.414-0.168-0.789-0.439-1.061L28.561,26.439z M17.5,29 c-0.829,0-1.5,0.672-1.5,1.5v3c0,0.828,0.671,1.5,1.5,1.5s1.5-0.672,1.5-1.5v-3C19,29.672,18.329,29,17.5,29z M17.5,7 C11.71,7,7,11.71,7,17.5S11.71,28,17.5,28S28,23.29,28,17.5S23.29,7,17.5,7z M17.5,25c-4.136,0-7.5-3.364-7.5-7.5 c0-4.136,3.364-7.5,7.5-7.5c4.136,0,7.5,3.364,7.5,7.5C25,21.636,21.636,25,17.5,25z"></path></svg><svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" id="nightIcon" x="0px" y
|
|||
|
<p>OAuth 协议又有 1.0 和 2.0 两个版本,2.0 版整个授权验证流程更简单更安全,也是目前最主要的用户身份验证和授权方式。</p>
|
|||
|
<h3 id="oauth-20-定义">OAuth 2.0 定义<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#oauth-20-定义" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h3>
|
|||
|
<p><strong>OAuth</strong> 是一个开放标准,允许用户授权第三方网站(例如 CSDN、思否等)获取用户数据。而不需要将用户名和密码提供给第三方网站;常见的提供 OAuth 认证服务的厂商: <strong>支付宝、QQ、微信、微博。</strong></p>
|
|||
|
<p>简单说,<strong>OAuth 就是一种授权机制。数据的所有者告诉系统,同意授权第三方应用进入系统并获取这些数据。系统从而产生一个短期的进入令牌(Token),用来代替密码,供第三方应用使用。</strong></p>
|
|||
|
<h4 id="令牌与密码的差异">令牌与密码的差异<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#令牌与密码的差异" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>令牌(Token)与密码(Password)的作用是一样的,都可以进入系统,但是有三点差异。</p>
|
|||
|
<ol>
|
|||
|
<li>**令牌是短期的,到期会自动失效,**用户自己无法修改。密码一般长期有效,用户不修改,就不会发生变化。</li>
|
|||
|
<li><strong>令牌可以被数据所有者撤销,会立即失效。</strong></li>
|
|||
|
<li><strong>令牌有权限范围(scope):</strong> 对于网络服务来说,只读令牌就比读写令牌更安全。密码一般是完整权限。</li>
|
|||
|
</ol>
|
|||
|
<p>OAuth 2.0 对于如何颁发令牌的细节,规定得非常详细。具体来说,一共分成<strong>四种授权</strong>模式 <strong>(Authorization Grant)</strong> ,适用于不同的互联网场景。</p>
|
|||
|
<ul>
|
|||
|
<li>授权码(authorization-code)</li>
|
|||
|
<li>隐藏式(implicit)</li>
|
|||
|
<li>密码式(password):</li>
|
|||
|
<li>客户端凭证(client credentials)</li>
|
|||
|
</ul>
|
|||
|
<p>无论哪个模式都拥有三个必要角色:<strong>客户端</strong>、<strong>授权服务器</strong>、<strong>资源服务器</strong>,有的还有<strong>用户(资源拥有者)</strong>。</p>
|
|||
|
<h2 id="授权码模式">授权码模式<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#授权码模式" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p><strong>授权码(Authorization Code Grant) 方式,指的是第三方应用先申请一个授权码,然后再用该码获取令牌。</strong></p>
|
|||
|
<p>这种方式是最常用的流程,安全性也最高,它适用于那些有后端服务的 Web 应用。授权码通过前端传送,令牌则是储存在后端,而且所有与资源服务器的通信都在后端完成。这样的前后端分离,可以避免令牌泄漏。</p>
|
|||
|
<p>一句话概括:<strong>客户端换取授权码,客户端使用授权码换 Token,客户端使用 Token 访问资源</strong>。</p>
|
|||
|
<h3 id="步骤详解">步骤详解<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#步骤详解" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h3>
|
|||
|
<h4 id="1-客户端">1. 客户端<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#1-客户端" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>打开网站 A,点击登录按钮,请求 A 服务,A 服务重定向 (重定向地址如下) 至授权服务器(如 QQ、微信授权服务)。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://qq.com/oauth/authorize?</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> response_type=code&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_id=CLIENT_ID&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> redirect_uri=CALLBACK_URL&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> scope=read</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,response_type 参数表示要求返回授权码(code),client_id 参数让 B 知道是谁在请求,redirect_uri 参数是 B 接受或拒绝请求后的跳转网址,scope 参数表示要求的授权范围(这里是只读)</p>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/cd507ff3bb9b9.png" alt="授权码模式"/></p>
|
|||
|
<h4 id="2-授权服务器">2. 授权服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#2-授权服务器" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>授权服务网站会要求用户登录,然后询问是否同意给予 A 网站授权。用户表示同意,这时授权服务网站就会跳回 redirect_uri 参数指定的网址。跳转时,会传回一个授权码,就像下面这样,code 参数就是授权码。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://a.com/callback?code=AUTHORIZATION_CODE</span></span></code></pre></figure>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/e8a2a515684a0.png" alt="授权服务器"/></p>
|
|||
|
<h4 id="3-网站-a-服务器">3. 网站 A 服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#3-网站-a-服务器" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>拿到授权码以后,就可以向 授权服务器 (qq.com) 请求令牌。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://qq.com/oauth/token?</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_id=CLIENT_ID&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_secret=CLIENT_SECRET&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> grant_type=authorization_code&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> code=AUTHORIZATION_CODE&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> redirect_uri=CALLBACK_URL</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,client_id 参数和 client_secret 参数用来让授权服务器 确认 A 的身份(client_secret 参数是保密的,因此只能在后端发请求),grant_type 参数的值是 AUTHORIZATION_CODE,表示采用的授权方式是授权码,code 参数是上一步拿到的授权码,redirect_uri 参数是令牌颁发后的回调网址。</p>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/f75bff03879bd.png" alt="网站 A 服务器"/></p>
|
|||
|
<h4 id="4-授权服务器">4. 授权服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#4-授权服务器" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>收到请求以后,验证通过,就会颁发令牌;具体做法是向 redirect_uri 指定的网址,发送一段 JSON 数据。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="json" data-theme="github-light github-dark"><code data-language="json" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">{ </span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "access_token"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">"ACCESS_TOKEN"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "token_type"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">"bearer"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "expires_in"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">2592000</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "refresh_token"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">"REFRESH_TOKEN"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "scope"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#032F62;--shiki-dark:#9ECBFF;">"read"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "uid"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:</span><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;">100101</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">,</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#005CC5;--shiki-dark:#79B8FF;"> "info"</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">:{</span><span style="--shiki-light:#B31D28;--shiki-dark:#FDAEB7;--shiki-light-font-style:italic;--shiki-dark-font-style:italic;">...</span><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">}</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">}</span></span></code></pre></figure>
|
|||
|
<p>上面 JSON 数据中,access_token 字段就是令牌,A 网站在后端拿到了,然后返回给客户端即可。</p>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/e8a7b64693d3c.png" alt="授权服务器"/></p>
|
|||
|
<h2 id="隐藏式模式implicit-grant">隐藏式模式(Implicit Grant)<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#隐藏式模式implicit-grant" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p>有些 Web 应用是纯前端应用,没有后端;这时就不能用上面的方式了,必须将令牌储存在前端。</p>
|
|||
|
<p>OAuth2.0 就规定了<strong>第二种方式,允许直接向前端颁发令牌。这种方式没有授权码这个中间步骤,所以称为(授权码)” 隐藏式 “(implicit)</strong>。</p>
|
|||
|
<p>一句话概括:<strong>客户端让用户登录授权服务器换 Token,客户端使用 Token 访问资源。</strong></p>
|
|||
|
<h3 id="步骤详解-1">步骤详解<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#步骤详解-1" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h3>
|
|||
|
<h4 id="1-客户端-1">1. 客户端<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#1-客户端-1" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>打开网站 A,然后 A 网站提供一个链接,要求用户跳转到授权服务器,授权用户数据给 A 网站使用。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://qq.com/oauth/authorize?</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> response_type=token&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_id=CLIENT_ID&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> redirect_uri=CALLBACK_URL&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> scope=read</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,response_type 参数为 token,表示要求直接返回令牌。</p>
|
|||
|
<h4 id="2-授权服务器-1">2. 授权服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#2-授权服务器-1" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>用户跳转到授权服务器,登录后同意给予 A 网站授权。这时,授权服务器就会跳回 redirect_uri 参数指定的跳转网址,并且把令牌作为 URL 参数,传给 A 网站。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://a.com/callback#token=ACCESS_TOKEN</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,token 参数就是令牌,A 网站因此直接在前端拿到令牌。</p>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/0e02abdb53ae8.png" alt="授权服务器"/></p>
|
|||
|
<p>还有需要<strong>注意</strong>的地方如下:</p>
|
|||
|
<ol>
|
|||
|
<li>令牌的位置是 URL 锚点(fragment),而不是查询字符串(querystring),这是因为 OAuth 2.0 允许跳转网址是 HTTP 协议,因此存在 ” 中间人攻击 ” 的风险,而浏览器跳转时,锚点不会发到服务器,就减少了泄漏令牌的风险。</li>
|
|||
|
<li>这种方式把令牌直接传给前端,是很不安全的。因此,只能用于一些安全要求不高的场景,并且令牌的有效期必须非常短,通常就是会话期间(session)有效,浏览器关掉,令牌就失效了。</li>
|
|||
|
</ol>
|
|||
|
<h2 id="用户名密码式模式password-credentials-grant">用户名密码式模式(Password Credentials Grant)<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#用户名密码式模式password-credentials-grant" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p>如果你高度信任某个应用,OAuth 2.0 也允许用户把用户名和密码,直接告诉该应用。该应用就使用你的密码,申请令牌,这种方式称为 ” 密码式 “(password)。</p>
|
|||
|
<p>一句话概括:<strong>用户在客户端提交账号密码换 Token,客户端使用 Token 访问资源。</strong></p>
|
|||
|
<h3 id="步骤详解-2">步骤详解<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#步骤详解-2" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h3>
|
|||
|
<h4 id="1-客户端-2">1. 客户端<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#1-客户端-2" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>A 网站要求用户提供 授权服务器(qq.com)的用户名和密码。拿到以后,A 就直接向授权服务器请求令牌。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://oauth.b.com/token?</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> grant_type=password&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> username=USERNAME&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> password=PASSWORD&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_id=CLIENT_ID</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,grant_type 参数是授权方式,这里的 password 表示 ” 密码式 “,username 和 password 是授权服务器的用户名和密码。</p>
|
|||
|
<h4 id="2-授权服务器-2">2. 授权服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#2-授权服务器-2" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>授权服务器验证身份通过后,直接给出令牌。注意,这时不需要跳转,而是把令牌放在 JSON 数据里面,作为 HTTP 回应,A 网站因此拿到令牌。</p>
|
|||
|
<p>这种方式需要用户给出自己的用户名/密码,显然风险很大,因此只适用于其他授权方式都无法采用的情况,而且必须是用户高度信任的应用。</p>
|
|||
|
<h2 id="客户端模式client-credentials-grant">客户端模式(Client Credentials Grant)<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#客户端模式client-credentials-grant" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p>客户端模式指客户端以自己的名义,而不是以用户的名义,向授权服务器进行认证。主要适用于没有前端的命令行应用。</p>
|
|||
|
<p>一句话概括:<strong>客户端使用自己的标识换 token,客户端使用 token 访问资源</strong>。</p>
|
|||
|
<h3 id="步骤详解-3">步骤详解<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#步骤详解-3" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h3>
|
|||
|
<h4 id="1-客户端-3">1. 客户端<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#1-客户端-3" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>客户端向授权服务器进行身份认证,并要求一个访问令牌。</p>
|
|||
|
<figure data-rehype-pretty-code-figure><pre tabindex="0" data-language="http" data-theme="github-light github-dark"><code data-language="http" data-theme="github-light github-dark" style="display:grid;"><span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;">https://oauth.b.com/token?</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> grant_type=client_credentials&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_id=CLIENT_ID&</span></span>
|
|||
|
<span data-line><span style="--shiki-light:#24292E;--shiki-dark:#E1E4E8;"> client_secret=CLIENT_SECRET</span></span></code></pre></figure>
|
|||
|
<p>上面 URL 中,grant_type 参数等于 client_credentials 表示采用凭证式,client_id 和 client_secret 用来让授权服务器确认 A 的身份。</p>
|
|||
|
<h4 id="2-授权服务器-3">2. 授权服务器<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#2-授权服务器-3" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h4>
|
|||
|
<p>授权服务器验证通过以后,直接返回令牌。这种方式给出的令牌,是针对第三方应用的,而不是针对用户的,即有可能多个用户共享同一个令牌。</p>
|
|||
|
<h2 id="授权模式对比">授权模式对比<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#授权模式对比" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p>按授权需要的多端情况:</p>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<div class="table-container"><table><thead><tr><th>模式</th><th>需要前端</th><th>需要后端</th><th>需要用户响应</th><th>需要客户端密钥</th></tr></thead><tbody><tr><td>授权码模式 Authorization Code</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>隐式授权模式 Implicit Grant</td><td>✅</td><td>❌</td><td>✅</td><td>❌</td></tr><tr><td>密码授权模式 Password Grant</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>客户端授权模式 Client Credentials</td><td>❌</td><td>✅</td><td>❌</td><td>✅</td></tr></tbody></table></div>
|
|||
|
<h2 id="授权模式分类">授权模式分类<a role="anchor" aria-hidden="true" tabindex="-1" data-no-popover="true" href="#授权模式分类" class="internal"><svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path></svg></a></h2>
|
|||
|
<p><img src="https://static.7wate.com/img/2022/08/30/aa101efbae0a2.png" alt="按照客户端类型与访问令牌所有者分类"/></p></article><hr/><div class="page-footer"></div></div><div class="right sidebar"><div class="graph"><h3>关系图谱</h3><div class="graph-outer"><div id="graph-container" data-cfg="{"drag":true,"zoom":true,"depth":1,"scale":1.1,"repelForce":0.5,"centerForce":0.3,"linkDistance":30,"fontSize":0.6,"opacityScale":1,"showTags":true,"removeTags":[],"focusOnHover":false}"></div><button id="global-graph-icon" aria-label="Global Graph"><svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 55 55" fill="currentColor" xml:space="preserve"><path d="M49,0c-3.309,0-6,2.691-6,6c0,1.035,0.263,2.009,0.726,2.86l-9.829,9.829C32.542,17.634,30.846,17,29,17
|
|||
|
s-3.542,0.634-4.898,1.688l-7.669-7.669C16.785,10.424,17,9.74,17,9c0-2.206-1.794-4-4-4S9,6.794,9,9s1.794,4,4,4
|
|||
|
c0.74,0,1.424-0.215,2.019-0.567l7.669,7.669C21.634,21.458,21,23.154,21,25s0.634,3.542,1.688,4.897L10.024,42.562
|
|||
|
C8.958,41.595,7.549,41,6,41c-3.309,0-6,2.691-6,6s2.691,6,6,6s6-2.691,6-6c0-1.035-0.263-2.009-0.726-2.86l12.829-12.829
|
|||
|
c1.106,0.86,2.44,1.436,3.898,1.619v10.16c-2.833,0.478-5,2.942-5,5.91c0,3.309,2.691,6,6,6s6-2.691,6-6c0-2.967-2.167-5.431-5-5.91
|
|||
|
v-10.16c1.458-0.183,2.792-0.759,3.898-1.619l7.669,7.669C41.215,39.576,41,40.26,41,41c0,2.206,1.794,4,4,4s4-1.794,4-4
|
|||
|
s-1.794-4-4-4c-0.74,0-1.424,0.215-2.019,0.567l-7.669-7.669C36.366,28.542,37,26.846,37,25s-0.634-3.542-1.688-4.897l9.665-9.665
|
|||
|
C46.042,11.405,47.451,12,49,12c3.309,0,6-2.691,6-6S52.309,0,49,0z M11,9c0-1.103,0.897-2,2-2s2,0.897,2,2s-0.897,2-2,2
|
|||
|
S11,10.103,11,9z M6,51c-2.206,0-4-1.794-4-4s1.794-4,4-4s4,1.794,4,4S8.206,51,6,51z M33,49c0,2.206-1.794,4-4,4s-4-1.794-4-4
|
|||
|
s1.794-4,4-4S33,46.794,33,49z M29,31c-3.309,0-6-2.691-6-6s2.691-6,6-6s6,2.691,6,6S32.309,31,29,31z M47,41c0,1.103-0.897,2-2,2
|
|||
|
s-2-0.897-2-2s0.897-2,2-2S47,39.897,47,41z M49,10c-2.206,0-4-1.794-4-4s1.794-4,4-4s4,1.794,4,4S51.206,10,49,10z"></path></svg></button></div><div id="global-graph-outer"><div id="global-graph-container" data-cfg="{"drag":true,"zoom":true,"depth":-1,"scale":0.9,"repelForce":0.5,"centerForce":0.3,"linkDistance":30,"fontSize":0.6,"opacityScale":1,"showTags":true,"removeTags":[],"focusOnHover":true}"></div></div></div><div class="toc desktop-only"><button type="button" id="toc" class aria-controls="toc-content" aria-expanded="true"><h3>目录</h3><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="fold"><polyline points="6 9 12 15 18 9"></polyline></svg></button><div id="toc-content" class><ul class="overflow"><li class="depth-0"><a href="#oauth-20" data-for="oauth-20">OAuth 2.0</a></li><li class="depth-1"><a href="#oauth-20-定义" data-for="oauth-20-定义">OAuth 2.0 定义</a></li><li class="depth-0"><a href="#授权码模式" data-for="授权码模式">授权码模式</a></li><li class="depth-1"><a href="#步骤详解" data-for="步骤详解">步骤详解</a></li><li class="depth-0"><a href="#隐藏式模式implicit-grant" data-for="隐藏式模式implicit-grant">隐藏式模式(Implicit Grant)</a></li><li class="depth-1"><a href="#步骤详解-1" data-for="步骤详解-1">步骤详解</a></li><li class="depth-0"><a href="#用户名密码式模式password-credentials-grant" data-for="用户名密码式模式password-credentials-grant">用户名密码式模式(Password Credentials Grant)</a></li><li class="depth-1"><a href="#步骤详解-2" data-for="步骤详解-2">步骤详解</a></li><li class="depth-0"><a href="#客户端模式client-credentials-grant" data-for="客户端模式client-credentials-grant">客户端模式(Client Credentials Grant)</a></li><li class="depth-1"><a href="#步骤详解-3" data-for="步骤详解-3">步骤详解</a></li><li class="depth-0"><a href="#授权模式对比" data-for="授权模式对比">授权模式对比</a></li><li class="depth-0"><a href="#授权模式分类" data-for="授权模式分类">授权模式分类</a></li></ul></div></div><div class="explorer mobile-only"><button type="button" id="explorer" data-behavior="collapse" data-collapsed="collapsed" data-savestate="true" data-tree="[{"path":"Personal","collapsed":true},{"path":"Personal/Blog","collapsed":true},{"path":"Personal/Blog/2018","collapsed":true},{"path":"Personal/Blog/2020","collapsed":true},{"path":"Personal/Blog/2021","collapsed":true},{"path":"Personal/Blog/2022","collapsed":true},{"path":"Personal/Blog/2023","collapsed":true},{"path":"Personal/Blog/2024","collapsed":true},{"path":"Personal/Book","collapsed":true},{"path":"Personal/Book/个人成长","collapsed":true},{"path":"Personal/Book/医学健康","collapsed":true},{"path":"Personal/Book/历史","collapsed":true},{"path":"Personal/Book/哲学宗教","collapsed":true},{"path":"Personal/Book/心理","collapsed":true},{"path":"Personal/Book/政治军事","collapsed":true},{"path":"Personal/Book/教育学习","collapsed":true},{"path":"Personal/Book/文学","collapsed":true},{"path":"Personal/Book/生活百科","collapsed":true},{"path":"Personal/Book/社会文化","collapsed":true},{"path":"Personal/Book/科
|
|||
|
</script><script type="module">
|
|||
|
let mermaidImport = undefined
|
|||
|
document.addEventListener('nav', async () => {
|
|||
|
if (document.querySelector("code.mermaid")) {
|
|||
|
mermaidImport ||= await import('https://cdnjs.cloudflare.com/ajax/libs/mermaid/10.7.0/mermaid.esm.min.mjs')
|
|||
|
const mermaid = mermaidImport.default
|
|||
|
const darkMode = document.documentElement.getAttribute('saved-theme') === 'dark'
|
|||
|
mermaid.initialize({
|
|||
|
startOnLoad: false,
|
|||
|
securityLevel: 'loose',
|
|||
|
theme: darkMode ? 'dark' : 'default'
|
|||
|
})
|
|||
|
|
|||
|
await mermaid.run({
|
|||
|
querySelector: '.mermaid'
|
|||
|
})
|
|||
|
}
|
|||
|
});
|
|||
|
</script><script src="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.16.9/contrib/copy-tex.min.js" type="application/javascript"></script><script src="../../../../postscript.js" type="module"></script></html>
|