%22%20d%3D%22M349.8%2C120c-0.4%2C0-0.7%2C0-1.1%2C0c-5.8%2C0.1-7.4%2C7.9-2.2%2C10.3c39.8%2C18.2%2C67.6%2C58.4%2C67.6%2C104.9%0A%09c0%2C24.2-7.4%2C47.3-21.5%2C67c-4.5%2C6.3-9.4%2C12.1-14.2%2C17.7c-14.6%2C17.1-27.2%2C31.9-27.2%2C60v52.4c0%2C16.5-4.4%2C29.1-13.3%2C38.6%0A%09c-0.1%2C0.1-0.3%2C0.3-0.4%2C0.4c-6.6%2C6.7-4.6%2C18%2C4%2C21.7c3.1%2C1.3%2C5.9%2C2.1%2C8.2%2C2.1c11.3%2C0%2C33.5-18.4%2C39-24.2c9-9.5%2C13.3-22.1%2C13.3-38.6%0A%09v-52.4c0-28.1%2C12.6-42.9%2C27.2-60c4.7-5.6%2C9.6-11.3%2C14.2-17.7c14.1-19.8%2C21.6-43.1%2C21.5-67.5C464.8%2C171%2C413.6%2C120%2C349.8%2C120z%22%3E%3C%2Fpath%3E%0A%3Cpath%20d%3D%22M349.8%2C112c-67.9%2C0-123.2%2C55.3-123.2%2C123.2c0%2C25.9%2C7.9%2C50.7%2C23%2C71.6c4.8%2C6.7%2C10%2C12.8%2C14.6%2C18.2%0A%09c14.1%2C16.6%2C25.3%2C29.7%2C25.3%2C54.9v52.4c0%2C18.6%2C5.1%2C33.1%2C15.5%2C44.1c3.9%2C4.2%2C28.9%2C26.7%2C44.9%2C26.7c16%2C0%2C40.9-22.6%2C44.8-26.7%0A%09c10.4-11%2C15.5-25.5%2C15.5-44.1v-52.4c0-0.3%2C0-0.6%2C0-1c0.1-0.5%2C0.2-1.1%2C0.2-1.6c0-0.4%2C0-0.8-0.1-1.1c1.1-22.7%2C11.8-35.4%2C25.2-51.1%0A%09l0.1-0.2c4.8-5.6%2C9.8-11.5%2C14.4-18c15-21%2C23-45.8%2C23-71.6C473.1%2C167.3%2C417.8%2C112%2C349.8%2C112z%20M437.1%2C297.5c-4.3%2C6-9%2C11.6-13.6%2C17%0A%09l-0.1%2C0.2c-13.2%2C15.5-25.7%2C30.2-28.5%2C54.6h-44.5c-4.4%2C0-8%2C3.6-8%2C8s3.6%2C8%2C8%2C8h43.9v47c0%2C0.4%2C0%2C0.8%2C0%2C1.2h-43.9c-4.4%2C0-8%2C3.6-8%2C8%0A%09s3.6%2C8%2C8%2C8H392c-1.8%2C6.3-4.8%2C11.6-8.9%2C15.9c-6.8%2C7.2-26.4%2C21.7-33.2%2C21.7c-6.8%2C0-26.5-14.6-33.2-21.7c-7.5-7.9-11.1-18.8-11.1-33.1%0A%09v-52.4c0-31.1-14.2-47.7-29.1-65.3c-4.6-5.4-9.4-11-13.8-17.1c-13.1-18.3-20-39.8-20-62.3c0-59.1%2C48.1-107.2%2C107.2-107.2%0A%09s107.2%2C48.1%2C107.2%2C107.2C457.1%2C257.7%2C450.2%2C279.3%2C437.1%2C297.5z%20M203.3%2C265.5c0%2C4.4-3.6%2C8-8%2C8h-67.8c-4.4%2C0-8-3.6-8-8s3.6-8%2C8-8h67.8%0A%09C199.7%2C257.5%2C203.3%2C261.1%2C203.3%2C265.5z%20M504.7%2C120.6l-18.9%2C18.9c-1.6%2C1.6-3.6%2C2.3-5.7%2C2.3s-4.1-0.8-5.7-2.3c-3.1-3.1-3.1-8.2%2C0-11.3%0A%09l18.9-18.9c3.1-3.1%2C8.2-3.1%2C11.3%2C0C507.8%2C112.4%2C507.8%2C117.5%2C504.7%2C120.6z%20M225.8%2C135c-1.6%2C1.6-3.6%2C2.3-5.7%2C2.3s-4.1-0.8-5.7-2.3%0A%09l-47.9-47.9c-3.1-3.1-3.1-8.2%2C0-11.3c3.1-3.1%2C8.2-3.1%2C11.3%2C0l47.9%2C47.9C228.9%2C126.8%2C228.9%2C131.9%2C225.8%2C135z%20M500.8%2C407.7%0A%09c3.1%2C3.1%2C3.1%2C8.2%2C0%2C11.3c-1.6%2C1.6-3.6%2C2.3-5.7%2C2.3c-2%2C0-4.1-0.8-5.7-2.3L460%2C389.5c-3.1-3.1-3.1-8.2%2C0-11.3c3.1-3.1%2C8.2-3.1%2C11.3%2C0%0A%09L500.8%2C407.7z%20M341.8%2C82.6V14.8c0-4.4%2C3.6-8%2C8-8s8%2C3.6%2C8%2C8v67.8c0%2C4.4-3.6%2C8-8%2C8S341.8%2C87%2C341.8%2C82.6z%22%3E%3C%2Fpath%3E%0A%3Cpath%20d%3D%22M154.6%2C440.2c-4.9-1.1-9.7%2C2-10.7%2C6.9c-1.1%2C4.9%2C2%2C9.7%2C6.9%2C10.7c0.6%2C0.1%2C1.3%2C0.2%2C1.9%2C0.2c1.7%2C0%2C3.4-0.5%2C4.9-1.4%0A%09c2-1.3%2C3.4-3.3%2C3.9-5.7c0.5-2.4%2C0.1-4.8-1.2-6.8C159%2C442.1%2C157%2C440.7%2C154.6%2C440.2z%20M275.1%2C67c-4.9-1.1-9.7%2C2-10.7%2C6.9%0A%09c-1.1%2C4.9%2C2%2C9.7%2C6.9%2C10.7c0.6%2C0.1%2C1.3%2C0.2%2C1.9%2C0.2c4.2%2C0%2C7.9-2.9%2C8.8-7.1C283.1%2C72.9%2C280%2C68.1%2C275.1%2C67z%20M41.6%2C274.3%0A%09c0.6%2C0.1%2C1.3%2C0.2%2C1.9%2C0.2c1.7%2C0%2C3.4-0.5%2C4.9-1.4c2-1.3%2C3.4-3.3%2C3.9-5.7c0.5-2.4%2C0.1-4.8-1.2-6.8c-1.3-2-3.3-3.4-5.7-3.9%0A%09c-4.9-1.1-9.7%2C2-10.7%2C6.9C33.6%2C268.4%2C36.7%2C273.3%2C41.6%2C274.3z%20M199.7%2C194.9c2-1.3%2C3.4-3.3%2C3.9-5.7c1.1-4.9-2-9.7-6.9-10.7%0A%09c-2.4-0.5-4.8-0.1-6.8%2C1.2c-2%2C1.3-3.4%2C3.3-3.9%2C5.7c-0.5%2C2.4-0.1%2C4.8%2C1.2%2C6.8c1.3%2C2%2C3.3%2C3.4%2C5.7%2C3.9c0.6%2C0.1%2C1.3%2C0.2%2C1.9%2C0.2%0A%09C196.5%2C196.3%2C198.2%2C195.8%2C199.7%2C194.9z%20M130.3%2C394.4c0%2C4.4-3.6%2C8-8%2C8c-11.4%2C0-20.8%2C9.3-20.8%2C20.8c0%2C4.4-3.6%2C8-8%2C8s-8-3.6-8-8%0A%09c0-20.3%2C16.5-36.8%2C36.8-36.8C126.7%2C386.4%2C130.3%2C390%2C130.3%2C394.4z%20M80.3%2C423.2c0%2C4.4-3.6%2C8-8%2C8s-8-3.6-8-8c0-11.4-9.3-20.8-20.8-20.8%0A%09c-4.4%2C0-8-3.6-8-8s3.6-8%2C8-8C63.8%2C386.4%2C80.3%2C402.9%2C80.3%2C423.2z%20M80.3%2C344.4c0%2C20.3-16.5%2C36.8-36.8%2C36.8c-4.4%2C0-8-3.6-8-8s3.6-8%2C8-8%0A%09c11.4%2C0%2C20.8-9.3%2C20.8-20.8c0-4.4%2C3.6-8%2C8-8S80.3%2C340%2C80.3%2C344.4z%20M130.3%2C373.2c0%2C4.4-3.6%2C8-8%2C8c-20.3%2C0-36.8-16.5-36.8-36.8%0A%09c0-4.4%2C3.6-8%2C8-8s8%2C3.6%2C8%2C8c0%2C11.4%2C9.3%2C20.8%2C20.8%2C20.8C126.7%2C365.2%2C130.3%2C368.8%2C130.3%2C373.2z%20M54.4%2C145l11.2-11.2l-11.2-11.2%0A%09c-3.1-3.1-3.1-8.2%2C0-11.3c3.1-3.1%2C8.2-3.1%2C11.3%2C0l11.2%2C11.2L88%2C111.4c3.1-3.1%2C8.2-3.1%2C11.3%2C0c3.1%2C3.1%2C3.1%2C8.2%2C0%2C11.3l-11.2%2C11.2%0A%09L99.3%2C145c3.1%2C3.1%2C3.1%2C8.2%2C0%2C11.3c-1.6%2C1.6-3.6%2C2.3-5.7%2C2.3s-4.1-0.8-5.7-2.3l-11.2-11.2l-11.2%2C11.2c-1.6%2C1.6-3.6%2C2.3-5.7%2C2.3%0A%09c-2%2C0-4.1-0.8-5.7-2.3C51.3%2C153.2%2C51.3%2C148.1%2C54.4%2C145z%20M469.4%2C54.2c0%2C4.4-3.6%2C8-8%2C8h-3.9v3.9c0%2C4.4-3.6%2C8-8%2C8s-8-3.6-8-8v-3.9h-3.9%0A%09c-4.4%2C0-8-3.6-8-8s3.6-8%2C8-8h3.9v-3.9c0-4.4%2C3.6-8%2C8-8s8%2C3.6%2C8%2C8v3.9h3.9C465.8%2C46.2%2C469.4%2C49.7%2C469.4%2C54.2z%20M234%2C358.8%0A%09c0%2C4.4-3.6%2C8-8%2C8h-3.9v3.9c0%2C4.4-3.6%2C8-8%2C8s-8-3.6-8-8v-3.9h-3.9c-4.4%2C0-8-3.6-8-8s3.6-8%2C8-8h3.9v-3.9c0-4.4%2C3.6-8%2C8-8s8%2C3.6%2C8%2C8%0A%09v3.9h3.9C230.5%2C350.8%2C234%2C354.4%2C234%2C358.8z%22%3E%3C%2Fpath%3E%0A%3Cg%3E%0A%09%3Cpath%20fill%3D%22%23F55555%22%20class%3D%22secondary-color%22%20d%3D%22M9.4%2C48.7V26.9h250v21.8H9.4z%20M259.4%2C495.1v-21.8H9.4v21.8H259.4z%22%3E%3C%2Fpath%3E%0A%09%3Cpath%20fill%3D%22%23FCCF31%22%20class%3D%22primary-color%22%20d%3D%22M197.5%2C453.7l60.9-60.9v60.9H197.5z%22%3E%3C%2Fpath%3E%0A%3C%2Fg%3E%0A%3C%2Fsvg%3E)
OAuth 2.0: Concepts
设计理念
根据 wikipedia:
开放授权(OAuth)是一个开放标准,允许用户让第三方应用访问该用户在某一网站上存储的私密的资源(如照片,视频,联系人列表),而无需将用户名和密码提供给第三方应用。
OAuth 2.0 is a protocol that allows distinct parties to share information and resources in a secure and reliable manner.
解决的问题
OAuth 2.0 解决两个问题:
- 联合身份(federated identity):允许用户使用另外一个服务的帐号登录此服务。比如用微信登录京东,用 Google 登录 Medium。这使得用户只需要维护一个帐号
- 授权(delegated authority):授权一个服务以用户的身份去访问它在另外一个服务中的信息。比如你可以授权 LinkedIn 帐户访问你的 Google 联系人这种非公开的信息
假如在有 OAuth 2 之前,应用 GoodApp 想访问你的 Facebook 联系人列表,那它不得不向你询问你的 Facebook 帐户的用户名密码。这样引起的问题是:
- 你给了 GoodApp 对你的 Facebook 帐户做任何事情的能力
- GoodApp 会储存你的密码,并且它可能由于被黑导致你的密码泄露
- 除非你修改你的 Facebook 密码,否则你没有办法收回这份授权
有了 OAuth 2 之后:
- 你不再需要给 GoodApp 你的 Facebook 密码,而是通过 Facebook 授权给一个 token 到 GoodApp
- 你可以限定 GoodApp 能访问你的哪些 Facebook 数据,比如只能读取好友列表
- 你可以随时在 Facebook 这边收回对 GoodApp 的授权
更通俗的理解是:用户的密码是全权限的 token,token 是只有部分权限的密码。
Components
理解 OAuth 的具体流程之前,先理解下它的几个组成部分:
- Resource Owner:资源的所有者,一般指用户;比如某个用户它拥有它的 Facebook 好友列表(资源)
- User Agent:用户的设备;比如浏览器、手机 native app
- Client:想要使用用户的资源的客户端或服务;比如上述例子中的 GoodApp,想获得用户的 Facebook 好友列表
- Authorization Server (AS):向 client 发放 access token,使得 client 可以访问具体资源服务器
- Resource Server (RS):即资源所在的服务。client 通过 AS 发放的 access token,在此处可以使用实际的资源
Authorization server 及 resource server 可能实现在同个域名也可能分开,但是它们背后的服务商一般是一样的,比如同样属于 Facebook。
Flow
OAuth 2 提供了 4 种授权类型(authorization grant type):
- Authorization code grant
- Implicit grant
- Resource owner password credentials grant
- Client credentials grant
第一种 authorization code grant 是最常见的,其次是 implicit grant。剩余的两种不做讨论。对于前两种方式,核心的点是:
- Client 预先在 AS 上注册了它的服务;AS 会给 client 一个 client ID 来标识它
- Client 最终要通过 AS 获得一个 access token,才能 RS;而 AS 需要用户允许才给 access token
Authorization code grant
流程如下:
绝大多数互联网产品都采用这种流程,比如 Google、Twitter、GitHub。看这个 GitHub 的 例子 来深入理解这套流程。
这里演示一个基于 GitHub 的 OAuth 应用,在获取用户授权后显示用户所有仓库信息的例子。GitHub 的 官方文档 对这个过程有详细地说明。我做了一个 YouTube 视频来描述这个过程:
代码及预编译好的多平台可执行文件在 这里。
仅当存在 client 且它可以安全地保存信息时(包含 client secret 及 access token),才应该使用 authorization code grant 方式。假如它无法安全保存信息:
- client secret 被盗会导致黑客可以以此应用身份欺骗用户
- access token 被盗则黑客可以以用户身份做任何操作
怎样界定有无安全存放信息的条件?
- 如果你的 client 是纯 JS 应用,没有后台服务器,那它被认定为不满足。因为 JS 的 Storage API 和 cookie 都是不安全的,可以被外部读取的
- 如果你的 client 包含一个后台服务,一般被认为是满足的。后台可以通过保护数据库和使用各种加密方式来保证数据安全
- 如果你是在使用某个手机客户端(比如 GitHub 第三方客户端来访问 GitHub),这个客户端如果用了系统提供的安全能力(比如 Android),则可以认定为是满足的
如果不满足的话,需要走 implicit grant type 流程。
Implicit grant type
流程如下:
对比于 authorization code grant,这个流程的特点在于少了 client application,因此也没有哪一环可以安全地存放用户的 access token,所以 access token 直接给到了 user agent,并且一般会设置一个比较短的(如 1 小时)的有效时间。User agent 拿到 access token 后直接使用。
这种流程在互联网服务中比较少见,用户体验也会相对较差。