JIYIK CN >

In the previous article, we introduced that OAuth2.0 is an authorization mechanism whose main purpose is to issue tokens between websites or applications that want to share resources. Before starting this article, we assume that you have understood the meaning and design principles of OAuth2.0. Otherwise, please go back and read the article " A Comprehensive Understanding of OAuth2.0" first.

This article mainly explains how to use the client's credentials to obtain an access token. Here we first look at the client's credentials

Client credentials

Client credentials can be used as an authorization grant when the client is the resource owner, or when the authorization scope is limited to protected resources under the client's control. The client credentials grant flow is used to obtain an access token to authorize API requests.

With client credentials grant, the access token obtained only grants the client application permission to search and get documents from the directory.

Below we briefly describe the client credentials authorization process

First, the client authenticates with the authorization server and makes an access token request from the token endpoint.

Second, the authorization server authenticates the client and provides an access token if the identity information provided by the client is valid and authorized.

There are several knowledge points involved in client credentials. In order not to take up too much space, these knowledge points are placed in a separate article. Before continuing with the following content, it is recommended to read the article OAuth2.0 Client Credentials Extension Knowledge Points to understand these knowledge points.

Here we will talk about how to obtain the client's credentials. In general, the client's credentials include the client ID and client key issued to the client by the authentication service . Developers need to apply to the authentication service backend and fill in a callback address. The callback address is an address to jump to after the user successfully logs in. At the same time, a parameter - will be added after the address 授权码. Users can send the authorization code, client ID and client key to the authentication service in exchange for an access token. We will talk about the detailed method of obtaining the access token next. What you need to know here is how to obtain the client's credentials.

For example, we need to apply for the Weibo platform we are going to access in its backend, and then it will issue the credentials to our client.

App Key and App Secret are the corresponding client ID and client secret. In the following process of obtaining access token, we will not introduce how to obtain client credentials. We will directly assume that the client credentials have been obtained, and all the processes after that are.

Get an access token

An access token is a string that identifies a user, application, or page. The access token includes a lot of information, such as when the token expires, which application created the token, etc.

The overall process of obtaining an access token is as follows:

• First, you need to apply for OAuth 2.0 client credentials from the API console/authentication service backend.
• The client then requests an access token from the authorization server.
• The client extracts the access token from the response and sends the token to the API it wishes to access for data communication.

Here is a fake request example:

https://api.example.com/oauth2/authorize?client_id=your_client_id&redirect_uri=your_url 
   &response_type=code

OAuth 2.0 specifies four processes for obtaining tokens. They are:

• Authorization-code
• Implicit
• Password:
• Client credentials

Among them, the authorization code method is widely used and relatively the safest. Below we introduce these methods separately.

Authorization Code

The authorization code method is the most widely used and relatively secure. However, its process is more complicated than the other methods. Let's take a look at the entire process of obtaining an access token.

Let’s break down this diagram.

1. The user accesses the resource owner's resources by using the client application. The client application then redirects the user to the authorization login interface of the authentication service.

2. The user agrees to the authorization by providing his or her account and password in the resource service, and then obtains the authorization code from the authentication server.

3. The authentication service redirects the user to the callback URI registered by the client application with the authorization code as a parameter.

4. The client application extracts the authorization code and sends the client ID, client secret, and the newly obtained authorization code to the authentication service to obtain an access token.

https://api.example.com/oauth/token?
 client_id=CLIENT_ID&
 client_secret=CLIENT_SECRET&
 grant_type=authorization_code&
 code=AUTHORIZATION_CODE&
 redirect_uri=CALLBACK_URL

The client_id and client_secret are used to confirm whether the client application is a legitimate registered application. grant_typeThe value of the parameter is AUTHORIZATION_CODE, which means that the authorization method used is the authorization code. The code parameter is the authorization code obtained in the previous step. The redirect_uri parameter is the callback URL after the token is issued.

5. After receiving the request, the authentication service will issue a token and return a piece of JSON data:

{    
  "access_token":"ACCESS_TOKEN",
  "token_type":"bearer",
  "expires_in":2592000,
  "refresh_token":"REFRESH_TOKEN"
}

In the above JSON data, the access_token field is the access token we need. It also includes expires_in (the expiration time of the access token) and refresh_token (the refresh token) used to refresh the access token.

Hidden

The application scenario of this method is that some web applications are purely front-end and there is no back-end to store access tokens. In this case, we cannot use the authorization code method mentioned above. Because we must store the access token on the front-end. Because there is no authorization code intermediate step, it is called hidden

1. The user accesses the resource owner's resources by using the client application. Then the client application redirects the user to the authorization login interface of the authentication service. The address at this time is as follows

https://api.example.com/oauth/authorize?
  response_type=token&
  client_id=CLIENT_ID&
  redirect_uri=CALLBACK_URL&
  scope=read

The response_type parameter is token, which means that a token is required to be returned directly.

2. After the user logs in on the authentication service login page, he agrees to authorize the client application website. At this time, the authentication service will jump back to the redirect URL specified by the redirect_uri parameter and pass the token as a URL parameter to website A.

https://jiyik.com/callback#token=ACCESS_TOKEN

In the above URL, the token parameter is the token, so the client application can get the access token directly on the front end.

This method of passing the token directly to the front end is very unsafe. Therefore, it can only be used in some scenarios with low security requirements, and the validity period of the token must be very short.

Password

This method is that the user directly tells the client application his or her username and password in the resource service. Of course, this method is based on the user's absolute trust in the client application.

The client application directly takes the user's account and password to the authentication service in exchange for an access token.

https://api.example.com/token?
  grant_type=password&
  username=USERNAME&
  password=PASSWORD&
  client_id=CLIENT_ID

In the above URL, the grant_type parameter is the authorization method, password here means "password type", username and password are the user's username and password.

Then, after the authentication service verifies the identity, it directly gives the token. Note that there is no need to jump at this time, but the token is placed in the JSON data as an HTTP response.

Voucher

This method is suitable for scenarios without a front-end, such as command line applications.

First, the command line application sends the following request to the authentication service via curl:

https://api.example.com/token?
  grant_type=client_credentials&
  client_id=CLIENT_ID&
  client_secret=CLIENT_SECRET

grant_type=client_credentialsIndicates that the credential method is used. The client_id and client_secret are the client credentials issued by the authentication service to the client application. This can be used to determine the legitimacy of the client application.

Then, after the authentication service passes the verification, it directly returns the access token.

The above methods can help us obtain access tokens. After obtaining the access token, the client application can use the access token to communicate with the resource service.

For security reasons, each access token has an expiration date, which is the expires_in field mentioned above. This field indicates the validity period of the access token. If the access token expires, it will be very painful for the user to go through the above authorization process again to obtain the access token.

For example, when we connect to various e-commerce platforms in our project, the access token has an expiration time. Before it expires, we automatically obtain a new access token through the refresh_token provided by the platform. This is transparent to the user, and he does not need to worry about the expiration of the access token.

https://api.example.com/oauth/token?
  grant_type=refresh_token&
  client_id=CLIENT_ID&
  client_secret=CLIENT_SECRET&
  refresh_token=REFRESH_TOKEN