OAuth2 is a network standard about Authorization. There are already a lot of information on the Internet to explain it. This article will not explain the principles and specifications in detail. I will write another article to analyze the difference between Authorization and Authentication later.
Nevertheless, here is a description of OAuth2 usage scenarios, in order to agree and clarify the role to facilitate the following description.
A(twitter): Host content, build OAuth2 service, provide third-party login access;
C: Twitter users generate content on the twitter website;
B1(medium.com): I want C to log in to his website with his twitter account, and I want to get C's twitter avatar and user name and other basic information;
B2(buffer.com): I hope C will log in to buffer.com with a twitter account, write content and post directly to twitter
B3(twitterrific): third-party iOS client for twitter
User C wants to log in to medium.com with his twitter account, or wants to use buffer.com to manage twitter content, or wants to use twitterrific to brush tweets. However, in these three situations, user C does not want to give his twitter username and password directly to B, but hopes that twitter and B will pass some kind of negotiation to give B the corresponding authority.
How many permissions are required is set by B on the Twitter open platform. Whether to give these permissions (or partial permissions) to B is determined by user C, and the operation (authorization) of this decision is on twitter’s website or official APP Inside.
When a user feels that a certain B is not trustworthy, he can be revoked from the twitter account management interface. Or when Twitter finds that a certain B has illegal operations, it can completely prohibit B from obtaining authorization.
OAuth2 can meet the above authorization requirements.
When do I need to build OAuth2 services by myself? Generally speaking, there are two situations:
- As a well-established user system such as twitter, Facebook, WeChat, QQ, which accounts for the number of users on the Internet at the infrastructure level, it is open to other websites for social media login;
- As a forum website such as reddit, or social media such as Weibo and twitter, it is open to third parties to develop clients or extend applications. The characteristic of this kind of website is: itself is relatively rich in function,
When do I need to access OAuth2 services provided by others? Two situations corresponding to A above:
- Your own website wants users to log in using twitter, Facebook, so that users can skip the tedious registration process and increase the conversion rate;
- Want to develop clients or extend applications for websites such as reddit, and twitter.
In general, any scenario used for authentication is not suitable for OAuth, such as:
- When there is only one user system: the conventional username and password mode or federated identity is enough.
- There are multiple user systems, but this number is limited and controlled. For example, there are different user systems among several sub-products of the same company, but we hope to connect these users: this is a typical Single Sign On Application scenarios.