Last updated: 2020-02-14 14:16:05


Overview of OAuth2.0

OAuth 2.0 is an open authorization standard that allows users to let Third-party application Access, the user is in a certain service. Specific private resources But Do not provide account password information For third-party applications.

OAuth2.0 is an authorized Protocol, not Verification Protocol.

OAuth2.0 role description

OAuth2.0 has the following four roles:

  • The owner of the Resource Owner: resource.
  • Resource Server: resource server.
  • Client: third-party application client refers to any third-party application that can consume the resource server.
  • Authorization Server: authorization server, which manages the middle tier of the above three roles.

Authorization process

The (A): client requests authorization from the resource owner.
The (B): resource owner agrees to authorize.
After the (C): client has obtained the authorization from the resource owner, it applies for an authorization token from the authorization server
The (D): authorization server issues authorization tokens after verifying that the client is correct.
After getting the authorization token, the (E): client requests the resource server to send user information.
The (F): resource server verifies that the token is correct and then issues the user information to the client.

Authorization Grant

  • An authorization license is a credential that is authorized on behalf of the resource owner (Access protected resource), which the client uses to obtain the Access token.
  • Authorization Code: authorization code. Client needs to provide Server to handle the authorization code (API gateway authorization method).

(A) Client uses the browser (user Proxy) Access Authorization Server.
(B) Authorization Server validates the parameter information passed by Client in (A) and, if correct, provides a page for Resource Owner to log in.
(C) returns an authorization code to Client after the (B) is correct.
(D) Client takes the authorization code, client identity, redirection URL and other information obtained from (C) as parameters to request the URL provided by Authorization Server to obtain Access token.
(E) Authorization Server returns information such as Access token, optional refresh token and token validity time to Client.

  • Implicit: implicit license omits the authorization code and returns Token directly. It is suitable for third-party applications that do not have a Server server to handle Authorization Code.
  • Resource Owner Password Credentials: resource owner password credentials, directly use the Owner account password to request Token.
  • Client Credentials: client credentials, and the client provides its own identity parameters to obtain the Token directly.

OIDC description

  • OIDC (OpenID Connect) is an identity layer built on OOAuth2.0, which is based on Identity verification standard Protocol of OAuth2.0 Protocol.
  • OAuth 2.0 defines mechanisms for obtaining and using Access tokens to Access protected resources, but does not define standard methods for providing identity information.
  • OIDC provides information about the end user in the form of id_token, verifies the user's identity, and provides basic profile information about the user.


  • OIDC's main extension to OAuth2.0 is to provide ID Token.
  • ID Token is a security token, a data structure in JWT format provided by an authorization server that contains user information (consisting of a set of Cliams and other auxiliary Cliams).
  • JWT (JSON Web Token): is a standard Protocol that defines a compact, self-contained and tamper-proof mechanism for passing data. The API gateway verifies that the JWT standard generates id_token.
Parameters English full name Is it required? Description Value requirement
Iss Issuer Identifier Yes The unique identity of the person who provides Verification's information. It is usually a URL of HTTPS (excluding querystring and fragment parts)
Ub "ubj" t ld "nt" f "r" Yes The identity of EU provided by iss is unique within the scope of iss. It is used by RP to identify unique users. The maximum length is 255 ASCII characters
Aud Audience (s) Yes Identify the audience of the ID Token. Must include client_id of OAuth2
Exp Expiration time Yes Expire time, the ID Token beyond this time will be invalidated and will no longer be verified. -
Iat Issued At Time Yes The time the JWT was built. -
Auth _ Time AuthenticationTime No The time that EU finished Verification. This Claim is required if RP sends a AuthN request with the parameter of max_age. -
N / n - No The random string provided by RP when sending the request is used to slow down the replay attack. It can also come to the ID Token of Associate and the Session information of RP itself. -
I don't know what to do. "uth" nt "t" n "nt"t" l "R" f "r" n " No Represents a Verification context import value, which can be used to identify the Verification context class. -
Amr Authentication Methods References No Represents a group of Verification methods. -
Azp Authorized party No Used in combination with aud. This value is used only when the (sud) of the party who is being used by Verification is inconsistent with that of the audience, and is rarely used in general. -

API gateway OAuth2.0 operation method

The API gateway has already provided the OAuth function. To practice a Auth Demo requires a Client and a AS, may require RS.
There are two functional requirements:

  • Authorize API calls: request Token, refresh Token
  • Business API call (requires a RS Demo) to send and receive requests directly with Mock:Client, postman, etc.

AS service

Rapid development using SpringBoot
Main functions: handle authorization API request, generate token_id, refresh token_id

Generate RSA public and private keys

  • Public key: placed in the API gateway to verify the JWT signature.
  • Private key: saved by AS.

RSA SHA256 signature with 2048 key digits

Output in JSON format, which satisfies JWT Header header information consists of two parts:

  • Kty: stands for Token type, and RSA is used here.
  • Alg: uses the Hash algorithm, which here is RS256.
{"kty":"RSA","alg":"RS256","e":"","n":"Public key content"}

Generate id_token

  • When generating Token, you need to set the Claims attribute (iss, aud, iat, exp, sub) in the payload of OIDC Protocol defined JWT. Where iat and exp must be set, and others are optional.

Processing request Token

Refresh id_token


First deploy the AS service to Backend Background server and run it. Note that if you deploy to CVM, you need to open the port in the security group.

  • Create an authorized API in the API management platform
  • Fill in OAuth information such as public key
  • Create a business API, Associate authorized API on the API gateway platform
  • Publish API
  • Call the authorized API to get the id_token
  • Use id_token Access Business API