OAuth

Oauth 1.0

  • Get request token /oauth/1.0/request_token
    • Authorize (Normally popup window): /oauth/1.0/authorize
      • Get access token: /oauth/1.0/access_token
        • if we don’t use request token, we need to call get access_token api. In that case, after the user Authorization and redirect to call back url, the consumer app will never know who’s access token
          • 注:整个操作流程中,需要注意涉及两种 Token,分别是 Request Token 和 Access Token,其中 Request Token 又涉及两种状态,分别是未授权和已授权。
            • Security issues: 1. 如果 Service Provider 没有限制回调地址(应用设置没有限定根域名一致),那么攻击者可以把 oauth_callback 设置成成自己的 URL,当 User 完成授权后,通过这个 URL 自然就能拿到 User 的 Access Token; 2. 如果 Consumer 不使用回调地址(桌面或手机程序),而是通过 User 手动拷贝粘贴 Request Token 完成授权的话,那么就存在一个竞争关系,只要攻击者在 User 授权后,抢在 User 前面发起请求,就能拿到 User 的 Access Token。
              SO WE NEED THE OAUTH 1.0a

              Oauth 1.0a

              To fix oauth 1.0 security issues: 1. Consumer 申请 Request Token 时,必须传递 oauth_callback,而 Consumer 申请 Access Token 时,不需要传递 oauth_callback。通过前置 oauth_callback 的传递时机,让 oauth_callback 参与签名,从而避免攻击者假冒 oauth_callback; 2. Service Provider 获得 User 授权后重定向 User 到 Consumer 时,返回 oauth_verifier,它会被用在 Consumer 申请 Access Token 的过程中。攻击者无法猜测它的值
              • Get request token /oauth/1.0a/request_token
                • Authorize (Normally popup window): /oauth/1.0a/authorize
                  • Get access token: /oauth/1.0a/access_token

                    Oauth2.0

                    In Oauth1.0a, we add a oauth_verifier after user authorization
                    In Oauth2.0, we remove the request token feature, and add state field both in /oauth/2.0/authorize sending and receiveing; In this case, oauth_verifier and state have same purpose

                    Authorization Code mode

                    • Authorize /oauth/2.0/authorize
                      • Get access token: /oauth/2.0/access_token

                        Implicit Grant Code mode

                        • Authorize /oauth/2.0/authorize

                          Resource Owner Password Credentials mode and Client Credentials mode

                          • Get access token: /oauth/2.0/token (Resource Owner Password Credentials mode)
                            • Get access token: /oauth/2.0/token (Resource Owner Password Credentials mode)

                              Reference


                              © Jiyu Shao 2018 - 2025