Principles and Implementation Series of OAuth 2.0 Protocol
- (1) Protocol Principles
- (2) TOKEN Generation Algorithms
- (3) Protocol Implementation
& emsp; & emsp; originally planned to explain the implementation of OAuth 2.0 protocol in java in detail in this article. After writing a paragraph, I suddenly felt that for developers, the best way to learn is to look at the source code, so I gave up the idea of continuing to write. If you are interested in the specific implementation of the protocol, or have corresponding ideas. The development needs can be studied by clone.
Project address: https://github.com/interdigital-life/passport-oauth
This project is RFC6749 The standard implementation of the protocol is mainly used for the study and understanding of the protocol. It can also be used for the authorization of production environment on the basis of the project, combining with its own business scenarios.
The project is developed in java language based on Spring MVC, Spring and MyBatis framework. The development and running environment is as follows:
>- Database: MySQL 5.7 >- JDK version: 1.8
& emsp; & emsp; this project is mainly realized RFC6749 Defined authorization code authorization mode and implicit authorization mode, with reference to documentation“ HTTP Authentication: MAC Authentication ” A MAC type token is implemented. Because token verification and OpenID generation are beyond the scope of OAuth 2.0 protocol, this project has not been implemented. Token belongs to symmetrical encryption string, so internal elements can be defined and verified by themselves. You can implement token verification logic by AOP or annotation, while OpenID only needs to ensure that in (use) R_id, client_id) dimension is unique.
Operation and testing
The structure definition of project related tables and test data are placed in sqls directory.
Note: In practical application, please force HTTPS to open!
1. Authorization Code Mode
- Request for Authorization Code
http://localhost:8080/oauth/authorize/code?response_type=code&client_id=2882303761517520186&redirect_uri=http://www.zhenchao.com&scope=1%204&state=emhlbmNoYW8gcGFzc3BvcnQgb2F1dGg=
Response examples:
HTTP/1.1 302 Found Location: http://www.zhenchao.com/?code=E670AC74F54CACC6222ADFFBEE51CADB&state=emhlbmNoYW8gcGFzc3BvcnQgb2F1dGg%3D
- Request for an access token
http://localhost:8080/oauth/authorize/token?grant_type=authorization_code&client_id=2882303761517520186&redirect_uri=http://www.zhenchao.com&code={your code here}
Response examples:
{ "access_token": "AAAAHGU4Y0Mrd1I2T3VhOHlRak9walY2T3hHSjM2VT0xLjAuMAAtAAAAAFlD/+YAAAFa4iNFYQAAAAAAAYagKAAAAAAGJToAAAAHMSAyIDQgNQAAAANtYWM=", "expires_in": 1497628646, "refresh_token": "refresh token", "mac_key": "LJ2H7DxyKBGsJlGBryRsVzNKCzpF57owjeOf7CxMJUFegWO7YlLi24M0sDRfvooq", "mac_algorithm": "hmac-sha-1" }
2. Implicit authorization mode
- Request for an access token
http://localhost:8080/oauth/implicit/token?response_type=token&client_id=2882303761517520186&redirect_uri=http://www.zhenchao.com&scope=1%204&state=emhlbmNoYW8gcGFzc3BvcnQgb2F1dGg=
Response examples:
HTTP/1.1 302 Found Location: http://www.zhenchao.com#access_token=AAAAHFM5T1ZCZG5hL0RBeTlRekJCSjlWYUduUHpaMD0xLjAuMAAtAAAAAFlEADEAAAFa4iRncwAAAAAAAYagKAAAAAAGJToAAAAHMSAyIDQgNQAAAANtYWM=&token_type=mac&mac_key=fRgEdJsq6rR8TuH84mXkTZzAv0q6KyvQz7BVkkHYyln5FOVccPp4Cz4VuDcz9cfr&mac_algorithm=hmac-sha-1&expires_in=1497628721&scope=1+2+4+5
Reference
- RFC5849 - The OAuth 1.0 Protocol
- RFC6749 - The OAuth 2.0 Authorization Framework
- RFC6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage
- HTTP Authentication: MAC Authentication (draft-hammer-oauth-v2-mac-token-02)
If you have any questions, please email to zhenchao.wang@hotmail.com Consultation, and finally make a small advertisement:
>Millet Open Platform It is an open service platform launched by millet company for eco-chain enterprises and third-party applications. The account access service is one of the core businesses of millet open platform. It aims to provide convenient and fast authorized login service for ecological chain enterprises and third-party application developers through millimeter users. The user experience of your application on MIUI platform (mobile phone, TV, tablet, computer, router, etc.). Millet Account Open Service is based on OAuth 2.0 protocol authorization, carrying about 1 billion authorization calls per day, serving global users with multiple IDC s, we are stable and reliable, looking forward to your access!