官网:OAuth 2.0  OAuth


An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.





  1. 用户准备登录某门户网站,用户没有账号,网站支持使用微信登录,于是用户点击微信登录
  2. 微信认证平台返回授权页面给用户
  3. 用户进行资源授权(比如允许用户昵称,头像的访问权限)
  4. 微信认证返回授权码给某门户网站
  5. 某门户网站拿授权码去微信认证平台获取token令牌
  6. 微信平台返回token令牌
  7. 某门户网站可以使用token令牌去微信平台获取此用户的头像和昵称等基础信息,获取后使用这些信息自动登录本网站
  8. 用户登录成功



参看:RFC 6749 - The OAuth 2.0 Authorization Framework

  • Third-party application:第三方应用程序,或说客户端。例如上文的某门户网站。
  • Resource Owner:资源所有者,例如上文的用户。
  • Authorization server:认证服务器,即服务提供商专门用来处理认证的服务器。
  • Resource server:资源服务器,即服务提供商存放用户生成的资源的服务器。它与认证服务器,可以是同一台服务器,也可以是不同的服务器。



+--------+                               +---------------+
     |        |--(A)- Authorization Request ->|   Resource    |
     |        |                               |     Owner     |
     |        |<-(B)-- Authorization Grant ---|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(C)-- Authorization Grant -->| Authorization |
     | Client |                               |     Server    |
     |        |<-(D)----- Access Token -------|               |
     |        |                               +---------------+
     |        |
     |        |                               +---------------+
     |        |--(E)----- Access Token ------>|    Resource   |
     |        |                               |     Server    |
     |        |<-(F)--- Protected Resource ---|               |
     +--------+                               +---------------+
                     Figure 1: Abstract Protocol Flow


(A)  The client requests authorization from the resource owner.  The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary.
(B)  The client receives an authorization grant, which is a credential representing the resource owner's authorization,expressed using one of four grant types defined in this specification or using an extension grant type.  The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.
(C)  The client requests an access token by authenticating with the authorization server and presenting the authorization grant.
(D)  The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.
(E)  The client requests the protected resource from the resource server and authenticates by presenting the access token.
(F)  The resource server validates the access token, and if valid,serves the request.
The preferred method for the client to obtain an authorization grant from the resource owner (depicted in steps (A) and (B)) is to use the authorization server as an intermediary, which is illustrated in Figure 3 in Section 4.1.


  • (A)客户端请求资源所有者授权。可以直接向资源拥有者发出授权请求,但最好通过认证服务器作为中介。(授权请求经过认证服器最后才展示给用户会带来一些灵活性,比如授权服务器可以动态获取当前用户的一些最新可授权信息,然后返回一个可授权列表到前端展示给用户,用户可选择性授权,也可以部分授权)
  • (B)用户同意授权后,客户端收到一个代表资源所有者的授权的特定授权类型(取决于上一步发起授权请求指定的授权类型)的凭据。
  • (C)客户端通过上一步获取的授权凭据向认证服务器申请令牌。
  • (D)认证服务器对客户端和授权凭证进行校验,校验通过后发放令牌。
  • (E)客户端使用令牌向资源服务器请求受保护的资源。
  • (F)资源服务器校验令牌,校验通过后向客户端返回受保护的资源。


客户端必须得到用户的授权凭证(authorization grant),才能获得令牌(access token)。OAuth 2.0定义了四种授权方式。

  • 授权码模式(authorization code)
  • 简化模式(implicit)
  • 密码模式(resource owner password credentials)
  • 客户端模式(client credentials)

授权码模式(authorization code)

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients.
Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.

认证码凭证主要用于获取access token和refresh tokens,由于此模式是一个基于重定向的流程,客户端必须能够与资源拥有者的用户代理(一般指浏览器)进行交互,并且能够接收来自认证服务器的传入请求(通过重定向)。

     | Resource |
     |   Owner  |
     |          |
     +----|-----+          Client Identifier      +---------------+
     |         -+----(A)-- & Redirection URI ---->|               |
     |  User-   |                                 | Authorization |
     |  Agent  -+----(B)-- User authenticates --->|     Server    |
     |          |                                 |               |
     |         -+----(C)-- Authorization Code ---<|               |
     +-|----|---+                                 +---------------+
       |    |                                         ^      v
      (A)  (C)                                        |      |
       |    |                                         |      |
       ^    v                                         |      |
     +---------+                                      |      |
     |         |>---(D)-- Authorization Code ---------'      |
     |  Client |          & Redirection URI                  |
     |         |                                             |
     |         |<---(E)----- Access Token -------------------'
     +---------+       (w/ Optional Refresh Token)
   Note: The lines illustrating steps (A), (B), and (C) are broken into
   two parts as they pass through the user-agent.
                     Figure 3: Authorization Code Flow


The flow illustrated in Figure 3 includes the following steps:
(A)  The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint.  The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied).
(B)  The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.
(C)  Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration).  The redirection URI includes an authorization code and any local state provided by the client earlier.
(D)  The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step.  When making the request, the client authenticates with the authorization server.  The client includes the redirection URI used to obtain the authorization code for verification.
(E)  The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C).  If valid, the authorization server responds back with an access token and, optionally, a refresh token.


  • (A)客户端(如某网站应用)通过用户代理(浏览器)将资源拥有者导向认证服务器(不好理解的话,回想微信登录第一步)。客户端携带、授权类型、客户端标识、请求范围、重定向url等参数请求认证服务器获取授权码。
  • (B)认证服务器对资源拥有者进行认证(如,需要用户登录微信),资源拥有者决定是否给客户端授权。
  • (C)假设用户同意授权,认证服务器将通过redirection URI重定向到用户代理(浏览器),重定向的url将会包含认证服务器返回的授权码。
  • (D)客户端通过授权码和重定向url向认证服务器申请令牌,认证服务器将会对客户端进行认证(即此客户端必须是认证服务器登记过的,例如我们开发微信登录时微信平台给我们的appId即可认为是客户端的标识)
  • (E)认证服务器对客户端、授权码、重定向url等信息进行校验,校验通过后返回access token和refresh token。

Authorization Request


GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com


  • response_type,响应类型, 必选项,授权码模式下固定值code
  • client_id,客户端标识,必选项
  • redirect_uri,重定向uri,可选项
  • scope,授权范围,可选项
  • state,当前客户端状态,可使用任意值。推荐使用。此参数可应用于预防跨站点请求伪造行为。

Authorization Response


  • code,授权码。授权码有效时间推荐10分钟内,而且不能重复使用,当重复使用时,认证服务器必须拒绝。
  • state,客户端状态值,当请求认证码时携带,认证服务器必须原样返回。


HTTP/1.1 302 Found
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz


HTTP/1.1 302 Found
Location: https://client.example.com/cb?error=access_denied&state=xyz


  • error,错误码,必选项。具体可取值如下:
    • invalid_request,请求不合法,比如缺失必须参数,携带不合法参数等。
    • unauthorized_client,客户端无权访问此方法
    • access_denied,资源拥有者或认证服务器拒绝请求
    • unsupported_response_type,认证服务器不允许认证码授权
    • invalid_scope,非法的授权范围
    • server_error,认证服务器内部错误
    • temporarily_unavailable,认证服务暂时不可用
  • state,必选项,客户端状态值,当请求认证码时携带,认证服务器必须原样返回。
  • error_description,错误描述,可选
  • error_uri,错误页地址,可选

Access Token Request

步骤D,当客户端取得了authorization code,此时可以向认证服务器申请获取令牌。请求示例:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


  • grant_type,授权类型,必选项,此处为固定值authorization_code
  • code,授权码,在步骤C中获取的,必选项
  • redirect_uri,重定向uri,必选项,跟步骤A中的uri保持一致
  • client_id,客户端标识,必选项

Access Token Response

步骤E,认证服务器对客户端、授权码、重定向url等信息进行校验,校验通过后返回access token和refresh token。返回结果示例如下:

 HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache


The implicit grant type is used to obtain access tokens (it does not support the issuance of refresh tokens) and is optimized for public clients known to operate a particular redirection URI.  These clients are typically implemented in a browser using a scripting language such as JavaScript.
Since this is a redirection-based flow, the client must be capable of interacting with the resource owner's user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
Unlike the authorization code grant type, in which the client makes separate requests for authorization and for an access token, the client receives the access token as the result of the authorization request.
The implicit grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI.  Because the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device.


     | Resource |
     |  Owner   |
     |          |
     +----|-----+          Client Identifier     +---------------+
     |         -+----(A)-- & Redirection URI --->|               |
     |  User-   |                                | Authorization |
     |  Agent  -|----(B)-- User authenticates -->|     Server    |
     |          |                                |               |
     |          |<---(C)--- Redirection URI ----<|               |
     |          |          with Access Token     +---------------+
     |          |            in Fragment
     |          |                                +---------------+
     |          |----(D)--- Redirection URI ---->|   Web-Hosted  |
     |          |          without Fragment      |     Client    |
     |          |                                |    Resource   |
     |     (F)  |<---(E)------- Script ---------<|               |
     |          |                                +---------------+
       |    |
      (A)  (G) Access Token
       |    |
       ^    v
     |         |
     |  Client |
     |         |
   Note: The lines illustrating steps (A) and (B) are broken into two
   parts as they pass through the user-agent.
                       Figure 4: Implicit Grant Flow


(A)  The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint.  The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied).
(B)  The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.
(C)  Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier.  The redirection URI includes the access token in the URI fragment.
(D)  The user-agent follows the redirection instructions by making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]).  The user-agent retains the fragment information locally.
(E)  The web-hosted client resource returns a web page (typically an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment.
(F)  The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token.
(G)  The user-agent passes the access token to the client.


  • A,客户端通过用户代理将资源拥有者导向认证服务器,携带客户端标识、重定向uri等参数
  • B,认证服务器对资源拥有者进行认证,资源拥有者决定是否给客户端授权
  • C,假设资源拥有者同意授权,认证服务器通过A步骤提供的重定向uri进行重定向,并在uri片断中附带访问令牌
  • D,用户代理向资源服务器发出请求,不包含上一步获取到的片断信息
  • E,资源服务器返回一个支持嵌入式脚本的网页,脚本能够访问上一步用户代理(浏览器)保留在本地的代码片断并从中提取出访问令牌
  • F,用户代理执行脚本,把令牌提取出来
  • G,用户代理将令牌发给客户端

Authorization Request


GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1
Host: server.example.com


  • response_type:表示授权类型,此处的值固定为"token",必选项。
  • client_id:表示客户端的ID,必选项。
  • redirect_uri:表示重定向的URI,可选项。
  • scope:表示权限范围,可选项。
  • state:表示客户端的当前状态,推荐带上,可以指定任意值,认证服务器会原封不动地返回这个值。

Access Token Response


HTTP/1.1 302 Found
Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA&state=xyz&token_type=example&expires_in=3600


  • access_token:表示访问令牌,必选项。
  • token_type:表示令牌类型,该值大小写不敏感,必选项。
  • expires_in:表示过期时间,单位为秒。如果省略该参数,必须通过其他方式设置过期时间。
  • scope:表示权限范围,如果与客户端申请的范围一致,此项可省略。
  • state:如果客户端的请求中包含这个参数,认证服务器的回应也必须一模一样包含这个参数。


HTTP/1.1 302 Found
Location: https://client.example.com/cb#error=access_denied&state=xyz



  • error,错误码,必选项。具体可取值如下:
    • invalid_request,请求不合法,比如缺失必须参数,携带不合法参数等。
    • unauthorized_client,客户端无权访问此方法
    • access_denied,资源拥有者或认证服务器拒绝请求
    • unsupported_response_type,认证服务器不允许认证码授权
    • invalid_scope,非法的授权范围
    • server_error,认证服务器内部错误
    • temporarily_unavailable,认证服务暂时不可用
  • state,必选项,客户端状态值,当请求认证码时携带,认证服务器必须原样返回。
  • error_description,错误描述,可选
  • error_uri,错误页地址,可选

密码模式(resource owner password credentials)

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.  The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.
This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form).  It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

密码模式适用于资源拥有者与资源服务器之间是高度互相信任的场景。举个例子,在前后端分离架构中,后端采用Sping Security Oauth2对用户进行认证授权,对于内部用户来讲,登录后台管理系统对系统的资源进行管理,此时就适用于密码模式。我们可以把前端应用或app应用看作一个第三方应用(即客户端),把某个提供http接口的微服务看作一个资源服务器,另外有一个用于认证的oauth2认证服务器。这时前端应用(客户端)与提供服务的资源服务器、系统管理人员(资源拥有者)它们之间是高度互相信任的,此时使用密码模式最为适合。试想,假设使用授权码模式,用户登录认证后,还需要确认授权,授权完毕还需要使用授权码到认证服务器获取token,岂不是多此一举?

     | Resource |
     |  Owner   |
     |          |
          |    Resource Owner
         (A) Password Credentials
     +---------+                                  +---------------+
     |         |>--(B)---- Resource Owner ------->|               |
     |         |         Password Credentials     | Authorization |
     | Client  |                                  |     Server    |
     |         |<--(C)---- Access Token ---------<|               |
     |         |    (w/ Optional Refresh Token)   |               |
     +---------+                                  +---------------+
            Figure 5: Resource Owner Password Credentials Flow


(A)  The resource owner provides the client with its username and password.
(B)  The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner.  When making the request, the client authenticates with the authorization server.
(C)  The authorization server authenticates the client and validates the resource owner credentials, and if valid, issues an access token.


  • A,资源拥有者将用户名和密码提供给客户端
  • B,客户端通过用户名和密码向认证服务器请求令牌,认证服务器将对客户端进行校验。
  • C,认证服务器校验通过后向客户端发放令牌。

Access Token Request


POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


  • grant_type:表示授权类型,此处的值固定为"password",必选项。
  • username:表示用户名,必选项。
  • password:表示用户的密码,必选项。
  • scope:表示权限范围,可选项。

Access Token Response


HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

客户端模式(client credentials)

The client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server (the method of which is beyond the scope of this specification).
The client credentials grant type MUST only be used by confidential clients.


 +---------+                                  +---------------+
     |         |                                  |               |
     |         |>--(A)- Client Authentication --->| Authorization |
     | Client  |                                  |     Server    |
     |         |<--(B)---- Access Token ---------<|               |
     |         |                                  |               |
     +---------+                                  +---------------+
                     Figure 6: Client Credentials Flow


(A)  The client authenticates with the authorization server and requests an access token from the token endpoint.
(B)  The authorization server authenticates the client, and if valid,issues an access token.


  • A,客户端直接通过认证服务获取令牌,认证服务需要对客户端进行合法性校验
  • B,认证服务校验客户端通过,返回令牌


POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


  • grant_type,授权范围,此处的值固定为"clientcredentials",必选项。
  • scope:表示权限范围,可选项


HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache



如果认证服务给客户端返回了refresh token,那么客户端就可以通过此refresh token去获取新的token以在令牌过期前对令牌进行续签,refresh token的过期时间一般会比access_token的过期时间长。请求刷新token的请求示例如下:

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded


  • grant_type,必选项,此处为固定值“refresh_token”
  • refresh_token,必选项。此前认证服务给客户端返回的一个值。
  • scope,授权范围,可选项。和此前申请令牌时保持一致



