01 What Issues Does OAuth 2 #
Hello, I’m Wang Xindong.
Before the course officially begins, I would like to ask you a question. When you first used the Geek Time app, did you directly log in using a third-party account (such as WeChat or Weibo), or did you choose to register as a new user? If you chose to register as a new user, you had to upload an avatar, enter a username, and other information. But if you chose to log in using a third-party WeChat account, Geek Time would directly use your WeChat information as the basic information, which would save you a lot of trouble.
At this point, you might ask, how is this implemented? How does WeChat give my personal information to Geek Time, and how does it ensure the security of my data?
In fact, the underlying principle behind this series of authorizations by WeChat can be summed up in one term: OAuth 2.0. In today’s lesson, let’s take a look at what OAuth 2.0 is, what it can do, and how it works.
What is OAuth 2.0? #
In summary, OAuth 2.0 is an authorization protocol. How do we understand “authorization”?
Let me give you an example from our daily life. Suppose you are a salesperson and you want to visit Mr. Wang, your key client, at Baidu. When you arrive at the Baidu headquarters, the security guard stops you and asks for your staff ID. You say, “Mr. Security Guard, I am here to visit Mr. Wang. I don’t have a staff ID.” The security guard says, “Then you need to register at the front desk.”
So you quickly go to the front desk, where a receptionist asks if you have registered. You tell her that Mr. Wang’s secretary asked for your phone number yesterday and said that you already made an appointment. After the receptionist verifies this and sends you a verification code to your phone, you tell her the code, and she gives you an access card. Now you can happily go and meet with Mr. Wang.
You see, this example involves an authorization process. Initially, you did not have the permission to enter the Baidu headquarters, but after the receptionist verifies that you are indeed there to visit a client, she issues you a temporary staff ID. This whole process is authorization.
Let me give you another example from the e-commerce context, which you may relate to more. Suppose you are a seller and you have a store on JD.com. In your daily operations, you need to print out orders to fulfill customer shipments. However, the process of printing orders is quite tedious. Initially, you manually handled it, but then you discovered a third-party software called “xiaotu” that can efficiently handle this task.
But have you ever wondered how “xiaotu” accesses your order data? It goes like this: JD.com provides an open platform, and “xiaotu” uses the APIs from JD.com’s merchant open platform to access user order data.
As long as you click “Agree” in the software, “xiaotu” can obtain an access token and use it to access your order data and perform the printing tasks for you. Again, this involves authorization. If you don’t agree, the platform won’t dare to provide your data to the third-party software.
Why use OAuth 2.0? #
Based on the solutions for the two scenarios mentioned above, the most common solution we think of is to provide a key. For example, if you want to visit CEO Wang at Baidu, the receptionist will give you a Baidu employee badge. If Little Rabbit wants to access your order information, you can give it your username and password. However, with a little security awareness, we wouldn’t do it this way.
If you have a Baidu employee badge, then you can freely enter and exit whenever you want, which obviously isn’t what Baidu wants. So, Baidu has a complete mechanism to give you a temporary employee badge, allowing you to meet CEO Wang inside the building while ensuring security. Similarly, the process of Little Rabbit Software requesting access to your order data also involves a set of authorization mechanisms - that is OAuth 2.0. Instead of giving Little Rabbit Software your username and password to access your order data, it provides a access token to allow it to work on your behalf.
In fact, besides the scenario with Little Rabbit Software, OAuth 2.0 is widely used in today’s internet world. It’s just that it hides the implementation details, so we need to do more analysis to discover it. For example, when you log in to other websites or apps using WeChat, or when you start using a mini program, you are using OAuth 2.0 without even realizing it.
In summary, OAuth 2.0 is an authorization protocol that ensures that third-party software can only access authorized data after obtaining permission. Therefore, it is often said that OAuth 2.0 is a secure protocol. Now that you know this, you can see that this statement is also correct.
Currently, accessing the data of the authorizer is mainly done through Web APIs, so any API that needs to be protected requires this authorization method. The mechanism of OAuth 2.0 for issuing access tokens is the perfect method for this. At the same time, these types of Web APIs continue to increase, making OAuth 2.0 one of the important security measures on the web today.
How Does OAuth 2.0 Work? #
Now that you have a general idea of OAuth 2.0, let’s take a look at how it works.
Let’s continue using the example of Xiaotu Order Management Software mentioned earlier. Suppose Xiaoming opens a store on JD.com and wants to manage the orders in his store, so he chooses to use Xiaotu Software.
Now, let’s put “Xiaoming”, “Xiaotu Software”, and “JD Seller Open Platform” into a dialogue and see how “they” communicate.
Xiaoming: “Hello, Xiaotu Software. I am using the Google browser and need to access you to help me process the orders in my JD.com store.”
Xiaotu Software: “Okay, Xiaoming, I need you to authorize me. Now I will guide you to the JD Seller Open Platform, where you can authorize me.”
JD Seller Open Platform: “Hello, Xiaoming. I have received a request from Xiaotu Software to redirect you. I have prepared an authorization page. After logging in and confirming, click the authorize button on the authorization page.”
Xiaoming: “Okay, JD Seller Open Platform. I see the authorization page and have clicked the authorize button. ๐”
JD Seller Open Platform: “Hello, Xiaotu Order Management Software. I have received authorization from Xiaoming. Now I will generate an authorization code ‘code’ for you and redirect it to your callback URL.”
Xiaotu Software: “Okay, JD Seller Open Platform. I have obtained the authorization code from the browser. Now I will use this authorization code to request an access token from you. Please provide me with an access token.”
JD Seller Open Platform: “Okay, Xiaotu Order Management Software. The access token has been sent to you.”
Xiaotu Order Management Software: “Great, now I can use the access token to retrieve orders from Xiaoming’s store.”
Xiaoming: “I can now see my orders and start processing them.”
To help you understand better, let me use a diagram to describe the entire process:
Overall process of Xiaoming using Xiaotu Software to print orders.
Analyzing this process, we can see that the ultimate goal of Xiaotu Software is to acquire something called an “access token”. From the final step, we can also see that Xiaotu Software can only access and print Xiaoming’s orders after obtaining the “access token”.
So, how does Xiaotu Software obtain this “access token”? We can see that there is also something called an “authorization code”, which means that Xiaotu Software obtains the access token by exchanging the “authorization code”.
How does Xiaotu Software get the “authorization code”? From the initial step in the diagram, we can see that the “authorization code” is generated after Xiaoming grants authorization to Xiaotu Software. All subsequent actions in the process actually occur after Xiaoming authorizes Xiaotu Software. The main actions are generating the authorization code -> generating the access token -> using the access token.
From here, it is not difficult to see that the core of OAuth 2.0 authorization is issuing access tokens and using access tokens, regardless of the type of authorization flow. You must understand or remember this statement, as it is the core of the entire process. You can also recall the example of visiting Mr. Wang from Baidu. If you were the designer of this mechanism at Baidu, how would you design this authorization mechanism? Once you understand this question, understanding tokens, authorization codes, and other things will become simple.
In the Xiaotu Software example, we are using the Authorization Code grant type. It is the most classic, comprehensive, secure, and widely used grant type in OAuth 2.0. In addition to the Authorization Code grant type, OAuth 2.0 also has three basic grant types for different usage scenarios: Implicit, Client Credentials, and Resource Owner Password Credentials. Compared to the Authorization Code grant type, these three grant types have reduced complexity and security in their process flow (I will analyze them in detail in Lesson 6).
Therefore, in this course, I will frequently use the Authorization Code grant type as an example. As for why it is called the Authorization Code grant type, why there are two redirects, and the detailed communication flow of this grant type, I will provide a more in-depth analysis in Lesson 2, so you don’t need to focus on it directly now.
Summary #
Alright, that’s the end of today’s class. We didn’t cover many points, but I provided examples to help you understand what OAuth is, why it is needed, and how it generally works. In summary, I want you to remember the following 3 key points:
The core of OAuth 2.0 is authorization. Specifically, it uses a token mechanism. This means that third-party software, like Little Rabbit Software, can only access user data on the JD.com platform if they obtain an access token granted by the platform. In other words, they need authorization before they can access the data on behalf of the users.
Most protected resources on the internet are accessed through Web APIs. For example, the GeekTime app needs to access user avatars and nicknames, while Little Rabbit Software needs to access user shop orders. We say that OAuth 2.0 is related to security because it aims to protect Web APIs. Additionally, once a third-party software obtains access rights through OAuth 2.0, the user delegates these permissions to the third-party software. Therefore, we can also say that OAuth 2.0 is a delegation protocol.
It is because third-party software, like Little Rabbit, requests user data using access tokens instead of usernames and passwords that the security risk of “attack surface” is greatly reduced. Imagine if we had to use usernames and passwords to access numerous Web APIs each time. This would increase the “attack surface”. Therefore, we can say that the core of OAuth 2.0 is issuing and using access tokens.
Reflection Question #
Alright, we’re about to wrap up today’s lecture, and I have a reflection question for you.
Take some time to think about the scenario of Little Rabbit Software obtaining user order information. If you were asked to design the entire authorization process, how would you design it? Is there a better way?
Feel free to share your thoughts in the comments section. Also, feel free to share today’s content with other friends so that we can exchange ideas together.