OAuth on Ricky

OAuth on Rickyhttps://linzeyan.github.io/zh-tw/categories/oauth/Recent content in OAuth on RickyHugo -- gohugo.iozh-twWed, 06 Jul 2022 08:47:49 +0800OIDC(OpenID Connect) 简介https://linzeyan.github.io/zh-tw/posts/2022/20220706-openid-connect/Wed, 06 Jul 2022 08:47:49 +0800https://linzeyan.github.io/zh-tw/posts/2022/20220706-openid-connect/<ul> <li><a href="https://jiajunhuang.com/articles/2022_07_06-openid_connect.md.html" target="_blank" rel="noopener">OIDC(OpenID Connect) 简介</a></li> </ul> <h3 id="authentication-vs-authorization">Authentication vs. authorization</h3> <blockquote> <p>Authentication 通常是指校验是否是用户本人的这个过程，而 Authorization 则更多的是指用户是否有权限。通常我们都是先校验是否是用户本人，然后再校验用户是否有权限。也就是先开始 Authentication，再开始 Authorization。</p></blockquote> <table> <thead> <tr> <th>Authentication</th> <th>Authorization</th> </tr> </thead> <tbody> <tr> <td>Determines whether users are who they claim to be</td> <td>Determines what users can and cannot access</td> </tr> <tr> <td>Challenges the user to validate credentials (for example, through passwords, answers to security questions, or facial recognition)</td> <td>Verifies whether access is allowed through policies and rules</td> </tr> <tr> <td>Usually done before authorization</td> <td>Usually done after successful authentication</td> </tr> <tr> <td>Generally, transmits info through an ID Token</td> <td>Generally, transmits info through an Access Token</td> </tr> <tr> <td>Generally governed by the OpenID Connect (OIDC) protocol</td> <td>Generally governed by the OAuth 2.0 framework</td> </tr> <tr> <td>Example: Employees in a company are required to authenticate through the network before accessing their company email</td> <td>Example: After an employee successfully authenticates, the system determines what information the employees are allowed to access</td> </tr> </tbody> </table> <h3 id="oauth-2">OAuth 2</h3> <h4 id="client-credentials-grant"><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-4.4" target="_blank" rel="noopener">Client Credentials Grant</a></h4> <blockquote> <p>这种模式是最简单的，其实就是客户端告诉服务端自己是哪个客户端，服务器就将 access_token 下发</p>