关键点
整体流程
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Figure 1: Abstract Protocol FlowOAuth defines four roles:
resource owner 用户 An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
resource server The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
client 通常表示第三方网站 An application making protected resource requests on behalf of the resource owner and with its authorization. The term “client” does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
authorization server The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
模式
- 授权码模式(authorization code)
- 简化模式(implicit)
- 密码模式(resource owner password credentials)
客户端模式(client credentials)
经典问题
为什么需要refresh token
live-short access token 安全系数更好,而refresh token可以频繁向用户索要 用户名/密码
通过refresh token,可以废弃之前的access token
refresh token不暴露给前端,access token可以暴露给前端【特殊场景】
refresh token 校验由 authorization server负责,access token由 resource server负责【持疑】
access token通过哪个模块去校验