CLIENT-SERVER 모델에서는 외부 application 이 서버의 제한된 리소스에 접근하려고 할때에 몇가지 문제가 있습니다.
- 사용자의 password 가 application 에 노출됩니다.(clear-text 로)
- application 은 사용자의 모든 권한을 얻게 됩니다.
- 특정 application 의 접근 권한을 취소 할 수 없습니다.
- 비밀번호 변경 시 모든 application 에서 비밀번호를 바꿔주어야 합니다.
- Resource Owner
- Resource Server
- Client
- Authorization Server
- UserAgent
- code
- access_token
- Authentication
- Authorization
- scope
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
- Authorization Endpoint
- Token Endpoint
- Authorization Code
- Implicit
- Resource Owner Password Credentials
- Client Credentials
+----------+
| Resource |
| Owner |
| |
+----------+
^
|
(B)
+----|-----+ Client Identifier +---------------+
| -+----(A)-- & Redirection URI ---->| |
| User- | | Authorization |
| Agent -+----(B)-- User authenticates --->| Server |
| | | |
| -+----(C)-- Authorization Code ---<| |
+-|----|---+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+---------+ | |
| |>---(D)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
| |<---(E)----- Access Token -------------------'
+---------+ (w/ Optional Refresh Token)
GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
또는
HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
GITHUB: access_token=e72e16c7e42f292c6912e7710c838347ae178b4a&token_type=bearer
GET /resource/1 HTTP/1.1
Host: example.com
Authorization: Bearer mF_9.B5f-4.1JqM
또는
GET /resource/1?access_token=...
- http://tools.ietf.org/html/rfc6749
- http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified
- http://developer.github.com/v3/oauth/
GITHUB 에서 사용하는 scope
(no scope)
user
user:email
user:follow
public_repo
repo
repo:status
delete_repo
notifications
gist