oauth2.0筆記

 

規範地址：http://tools.ietf.org/html/rfc6749

1.oauth定義了4種角色：

資源全部者（resource owner）

資源服務器（resource server）

客戶端 （ client ）

受權服務器（authorization server）

協議流：

+--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+

2.客戶註冊

客戶端在 受權服務器上註冊 一個惟一的標識符。

客戶端密碼，用法

Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3

3.協議接口

兩個受權服務器接點：

• 受權接點  - 用於客戶端經過用戶去獲取受權，必須覈對資源全部者的身份
• Token接點 - 用於客戶端經過受權去交換acess token

一個客戶端口:

• 重定向接點

4得到受權

4.1 Authorization Code Gran

受權接口

HTTP請求方式

GET/POST

請求參數

	必選	類型及範圍	說明
client_id	true	string	申請應用時分配的,客戶標識ID
redirect_uri	false	string	受權回調地址，可申請應用的適合填好，或者動態的傳值。
response_type	true	string	必須爲:"code"
scope	false	string
state	可選	string	推薦, 用於保持請求和回調的狀態，在回調時，會在Query Parameter中回傳該參數。

例子：

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz
        &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
  Host: server.example.com

返回數據

返回值字段	字段類型	字段說明
code	string	用於調用access_token，接口獲取受權後的access token。
state	string	若是傳遞參數，會回傳該參數。

例子：

HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz

token接口

HTTP請求方式

POST

請求參數

	必選	類型及範圍	說明
client_id	true	string	申請應用時分配的,客戶標識ID
redirect_uri	true	string	回調地址，需需與註冊應用裏的回調地址一致
grant_type	true	string	請求的類型，填寫authorization_code
code	true		調用authorize得到的code值

例子：

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb

HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

4.2 Implicit Grant

response_type爲"token"

4.3用戶密碼受權

access token request

參數：

grant_type
         REQUIRED.  Value MUST be set to "password".

   username
         REQUIRED.  The resource owner username.

   password
         REQUIRED.  The resource owner password.

   scope
         OPTIONAL.

例子：

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=password&username=johndoe&password=A3ddj3

An example successful response:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
       "example_parameter":"example_value"
     }

4.4客戶端受權(Client Credentials Grant)

流程：

+---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+

                     Figure 6: Client Credentials Flow

access token request：

grant_type
         REQUIRED.  Value MUST be set to "client_credentials".

   scope
         OPTIONAL.

例子：

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=client_credentials

An example successful response:

     HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",
       "token_type":"example",
       "expires_in":3600,
       "example_parameter":"example_value"
     }

4.5擴展(略)

5.Access Token

access token事例:

HTTP/1.1 200 OK
     Content-Type: application/json;charset=UTF-8
     Cache-Control: no-store
     Pragma: no-cache

     {
       "access_token":"2YotnFZFEjr1zCsicMWpAA",     //必須
       "token_type":"example",                      //必須
       "expires_in":3600,                           //推薦
       "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",    //可選 "example_parameter":"example_value"

}

6.刷新Access Token

request參數

grant_type     必須,直必須爲"refresh_token"

refresh_token  必須

scope          可選

事例:

POST /token HTTP/1.1
     Host: server.example.com
     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
     Content-Type: application/x-www-form-urlencoded

     grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

參考：http://tools.ietf.org/html/rfc6750