OAuth
Oauth 1.0
- Get request token /oauth/1.0/request_token
- Authorize (Normally popup window): /oauth/1.0/authorize
- Get access token: /oauth/1.0/access_token
- if we don’t use request token, we need to call get access_token api. In that case, after the user Authorization and redirect to call back url, the consumer app will never know who’s access token
- 注:整个操作流程中,需要注意涉及两种 Token,分别是 Request Token 和 Access Token,其中 Request Token 又涉及两种状态,分别是未授权和已授权。
- Security issues: 1. 如果 Service Provider 没有限制回调地址(应用设置没有限定根域名一致),那么攻击者可以把 oauth_callback 设置成成自己的 URL,当 User 完成授权后,通过这个 URL 自然就能拿到 User 的 Access Token; 2. 如果 Consumer 不使用回调地址(桌面或手机程序),而是通过 User 手动拷贝粘贴 Request Token 完成授权的话,那么就存在一个竞争关系,只要攻击者在 User 授权后,抢在 User 前面发起请求,就能拿到 User 的 Access Token。
SO WE NEED THE OAUTH 1.0a
Oauth 1.0a
To fix oauth 1.0 security issues: 1. Consumer 申请 Request Token 时,必须传递 oauth_callback,而 Consumer 申请 Access Token 时,不需要传递 oauth_callback。通过前置 oauth_callback 的传递时机,让 oauth_callback 参与签名,从而避免攻击者假冒 oauth_callback; 2. Service Provider 获得 User 授权后重定向 User 到 Consumer 时,返回 oauth_verifier,它会被用在 Consumer 申请 Access Token 的过程中。攻击者无法猜测它的值
- Get request token /oauth/1.0a/request_token
- Authorize (Normally popup window): /oauth/1.0a/authorize
- Get access token: /oauth/1.0a/access_token
Oauth2.0
In Oauth1.0a, we add a oauth_verifier after user authorization
In Oauth2.0, we remove the request token feature, and add state field both in /oauth/2.0/authorize sending and receiveing; In this case, oauth_verifier and state have same purpose
Authorization Code mode
- Authorize /oauth/2.0/authorize
- Get access token: /oauth/2.0/access_token
Implicit Grant Code mode
- Authorize /oauth/2.0/authorize
Resource Owner Password Credentials mode and Client Credentials mode
- Get access token: /oauth/2.0/token (Resource Owner Password Credentials mode)
- Get access token: /oauth/2.0/token (Resource Owner Password Credentials mode)