In the last article “Huawei account service learning notes (1): what is HMS and what is Huawei account service”, we have sorted out the use scenarios and advantages of Huawei account service. Next, I will take you to further understand some basic knowledge, access methods, efficiency improvement tools, etc. involved in Huawei account service. If you have any questions, please feel free to raise them in the comments section.
To understand Huawei account service, we need to be familiar with two protocols: oauth2.0 and openid connect, because the login mode of Huawei account is based on these two protocols, not only Huawei account, but also wechat and other manufacturers’ accounts. This paper first introduces oauth2.0.
1 An interesting question
What is oauth2 . Before 0, I’ll throw out a question:
We know that users can use accounts + You can get the detailed information of your Huawei or wechat account by password, such as user name, email address, mobile phone number, etc., but the third-party app, such as the following app, can get the user’s Huawei account information after the user logs in with the Huawei account, so how can it get the information?
To answer the above question, we need to introduce a concept: proxy authorization; proxy authorization is a method that allows third-party applications to access user data. There are two ways:
1. The user’s account password is provided to the third party application, so that they can login the account and access the data on your behalf;
2. Third party applications are authorized to access users’ data through OAuth without providing passwords;
The first way is that no user will accept it, and no user is willing to expose his user name and password to others. The second way is to use OAuth protocol, which does not need to provide the user’s password to a third party, and the third party can also obtain the required data, which is why we need OAuth.
2、 What is itOAuth2.0？
OAuth 2.0 is the most popular authorization mechanism, which is used to authorize third-party applications and obtain user data. With oauth2.0, the previous problem can be solved like this: the user has limited authorization for the third-party application, and the third-party application can obtain the authorized information from the corresponding account server through the limited authorization.
OAuth2.0The design idea is as follows
I have seen such a metaphor before, and I think it can explain oauth2 very vividly . 0 design idea, now take it to use, convenient for you to quickly understand.
Courier and community access control system:
1. Each community has access control system, enter the password can enter the community, only the owners know the password
2. Couriers often enter the community to deliver express. There are several ways for couriers to enter the community
A. The owner tells the courier the access control password, and the courier enters by entering the password
B. The owner opens the door for the courier remotely
C. Open up a new channel for couriers, which is only used to deliver couriers to designated places:
——》Adding “request authorization” button in access control system
——》The courier pressed the button to ask the owner for permission to enter
——》The owner agrees to return a “limited password” to the courier after authorization
——》By inputting this password, the courier can enter the delivery place in the community, but can not enter other places.
The first two methods are not optimal, first of all, the community password has a lot of permissions, which is very unsafe for the courier; Secondly, there may be many doors in the community. Every time the courier passes through a door, the owner needs to open the door for him remotely, which is also very annoying; The C way is the best, its design idea is used in the Internet is oauth2 . 0.
OAuth2.0Related terms of the agreement
Resource owner: the user who owns the data the client application wants to access.
Client: an application that wants to access user data
Authorization server: the authorization server that authorizes clients to access user data through user permission.
Resource server: a system that stores data to be accessed by clients. In some cases, the resource server and the authorization server are the same server.
Access token: the access token is the unique key that the client can use to access the data authorized by the user on the resource server.
Scope: the scope of authorization, which data is used to restrict the application to access the user
OAuth2.0The basic process of the agreement
Access TokenSimilarities and differences with password:
1. Access token is the same as password, which is the voucher to obtain user data. Leaking at has the same consequences as leaking password
2. The access token is short-term and automatically becomes invalid when it expires, so the user cannot modify it; the password is generally long-term and will not change if it is not modified
3. Access token can be revoked by the data owner, and it will take effect immediately after revocation, while password cannot be revoked
4. Access token has scope of authority, which can specify what the holder can only do, while the password holder has full authority and can do everything
The design of access token allows third-party applications to obtain corresponding permissions, which can be controlled at any time and will not endanger the system security.
OAuth 2.0Four ways to improve the quality of life
Here is the first one.
1, authorization code）
It means that the client first obtains an authorization code, and then exchanges the authorization code for the access token;
Usage scenario: the client has its own background server
Features: the authorization code is passed through the front end, and at is stored in the background server. The interaction between the background server and the resource and authorization server is completed, and the front and back ends are separated, which is very safe
Usage scenario: pure front-end application, no background server
Features: no authorization code, directly to the front-end issued at, at stored in the front-end, not very secure, suitable for low security scenarios
Usage scenario: the application is highly trusted, and other authorization methods cannot be used
Features: the user directly tells the user name and password to the third party application, and the third party application uses your password to apply for the token
4. voucher type
Usage scenario: command line application without front end
Features: request token under command line, trust the third party directly
Access TokenOverdue problem
At has a time limit and needs to be retrieved after it has expired.
There are two ways
1. According to the previous process to get at again, this kind of experience is not good;
2. The method given by oauth2.0 is to return a refresh token at the same time as the access token. When the at (access token) is expired, RT (refresh token) can be used to retrieve the at.
The above is the content of oauth2.0 that I want to share, hoping to bring benefits to your understanding. Next, I will share the openid connect protocol. I hope you will continue to pay attention to this account.
In the future, I will continue to output high-quality content in related fields. I hope you will continue to pay attention to this account!