there is a blog about the flow of OAuth2.0 authorization code mode:
Authorization Code Mode (authorization code) Authorization process:the authorization verification process of obtaining Access Token through Authorization Code, also known as Web Server Flow, is suitable for all server-side applications, such as Web/Wap sites, mobile / desktop client applications with server side, and so on. Generally speaking, the overall process consists of the following steps:
1. Request the authorization server through client_id to obtain the Authorization Code.
2. Request the authorization server through Authorization Code, client_id and client_secret. After verifying whether the Authorization Code is invalid and whether the accessed client information is valid (matching the transmitted client_id and client_secret information with the client information saved by the server), the authorization server generates Access Token and Refresh Token and returns them to the client.
3. Through the Access Token request resource service application, the client obtains the resource information that is needed and within the scope of the Access Token permission of the application.
question:
to establish a scenario, the problem may be a little clearer:
scenario: for example, when you log in with Wechat for the first time on Douyin, the user"s action is as follows: after clicking the Wechat icon in Douyin, the user will jump to a page with a login button, and click the login button in one action to complete the login. Compared with the three steps written by the blog above, the questions are as follows:
question 1: step 1 says, "request authorization to the server through client_id." when was the cilent_id generated?
question 2: step 2 says, "authorize the server to generate Access Token and Refresh Token and return them to the client". Here, whether the "return to the client" is returned to the Douyin server or Douyin mobile app?.
question 3: there are three roles in the authorization process, as shown in the following figure:
when the user presses the login button in Douyin"s Wechat login interface, does Douyin app send a request directly to Wechat server to complete authorization, or Douyin app sends a request to Douyin server, and then Douyin server sends a request to Wechat server to complete authorization?
Please help the boss to sort out this process, it"s a bit of a mess, thank you.