OAuth 2.0

gyomniยท2022๋…„ 6์›” 28์ผ
1

Week I Learned

๋ชฉ๋ก ๋ณด๊ธฐ
16/16
post-thumbnail

๐Ÿ‘ฉโ€๐Ÿ’ป๋‚˜์˜ ์„œ๋น„์Šค๊ฐ€ ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘ฆโ€๐Ÿ‘ฆ์‚ฌ์šฉ์ž๋ฅผ ๋Œ€์‹ ํ•ด์„œ ๐ŸŒƒgoogle๊ณผ ๊ฐ™์€ ์„œ๋น„์Šค์˜ ๋ฌด์–ธ๊ฐ€๋ฅผ ์ด์šฉํ•˜๊ณ  ์‹ถ๋‹ค๋ฉด?

  • ๐Ÿ‘ฉโ€๐Ÿ’ป ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค
  • ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘ฆโ€๐Ÿ‘ฆ ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์‚ฌ์šฉ์ž
  • ๐ŸŒƒ ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค๊ฐ€ ์—ฐ๋™ํ•˜๋ ค๊ณ  ํ•˜๋Š” ์„œ๋น„์Šค(google, naver...)

๊ฐ€ ์žˆ๋‹ค๊ณ  ์ƒ๊ฐํ•ด๋ณด์ž.

๐Ÿ‘ฉโ€๐Ÿ’ป๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค๋Š” ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘ฆโ€๐Ÿ‘ฆ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ์‚ฌ์šฉ์ž๊ฐ€ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” ๐ŸŒƒ๊ทธ ์„œ๋น„์Šค์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋„๋ก ํ—ˆ๊ฐ€๋ฅผ ๋ฐ›์•„์•ผํ•œ๋‹ค.
๊ทธ๋ ‡๋‹ค๋ฉด ํ—ˆ๊ฐ€๋ฅผ ๋ฐ›๋Š” ๋ฐฉ๋ฒ•์—๋Š” ๋ฌด์—‡์ด ์žˆ์„๊นŒ?

๋‹จ์ˆœํ•˜๊ฒŒ ์ƒ๊ฐํ•ด๋ณธ๋‹ค๋ฉด,
์‚ฌ์šฉ์ž๊ฐ€ ์‚ฌ์šฉํ•˜๋Š” ๊ทธ ์„œ๋น„์Šค์— ์‚ฌ์šฉ์ž๋“ค์˜ ID, PW๊ฐ€ ์žˆ๋‹ค.
๊ทธ๊ฒƒ์„ ์‚ฌ์šฉ์ž๋กœ๋ถ€ํ„ฐ ์ „๋‹ฌ ๋ฐ›์•„์„œ ๋‚˜์˜ ์„œ๋น„์Šค๊ฐ€ ์‚ฌ์šฉ์ž์˜ ID, PW๋ฅผ ๊ธฐ์–ตํ•˜๊ณ  ์žˆ๋‹ค๊ฐ€ ๊ทธ ์„œ๋น„์Šค๋ฅผ ์ด์šฉํ•  ๋•Œ ์‚ฌ์šฉ์ž์˜ ํ•ด๋‹น ID, PW๋ฅผ ๊ทธ๋Œ€๋กœ ์ด์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ์žˆ๋‹ค.
๊ฐ„๋‹จํ•˜๋ฉด์„œ๋„ ๊ทธ ์„œ๋น„์Šค๋“ค์„ ๋ชจ๋‘ ๋‹ค ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ๋œ๋‹ค.

ํ•˜์ง€๋งŒ, ์‚ด์ง ๊ฐ€๋Š ํ•ด๋ณด๊ธฐ๋งŒ ํ•ด๋„ ๋ณด์•ˆ์˜ ์œ„ํ—˜์„ฑ์ด ๋Š๊ปด์ง„๋‹ค.

  • ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘ฆโ€๐Ÿ‘ฆ ์‚ฌ์šฉ์ž ์ž…์žฅ
    ์ฒ˜์Œ ๋ณด๋Š” ์„œ๋น„์Šค(๐Ÿ‘ฉโ€๐Ÿ’ป)์—๊ฒŒ ์ž์‹ ์˜ ID์™€ PW๋ฅผ ๋งก๊ฒจ์•ผ ํ•˜๋Š” ๊ฒƒ์ด๋ฏ€๋กœ, ์ž์นซํ•˜๋ฉด ํ•ด๋‹น ์„œ๋น„์Šค๊ฐ€ ์‚ฌ์šฉ์ž์˜ ๊ณ„์ •์„ ์•…์šฉํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์ด ์ž์ฒด๋กœ๋„ ์œ„ํ—˜ํ•˜๋‹ค. ๊ทธ๋ฆฌ๊ณ  ๋Œ€๋ถ€๋ถ„์˜ ์‚ฌ์šฉ์ž๋“ค์€ ID,PW๋ฅผ ๋งค๋ฒˆ ๋ฐ”๊ฟ”์„œ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ๋Œ€๋ถ€๋ถ„ ๋ช‡๊ฐœ๋กœ ๋Œ๋ ค ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋งก๊ธด ID, PW๊ฐ€ ์œ ์ถœ ๋œ๋‹ค๋ฉด ๋ณด์•ˆ ์‚ฌ๊ณ ๊ฐ€ ๋‚˜๊ฒŒ๋˜๋ฒ„๋ฆฐ๋‹ค.

  • ๐Ÿ‘ฉโ€๐Ÿ’ป ์„œ๋น„์Šค๋ฅผ ๋งŒ๋“œ๋Š” ์ž…์žฅ
    ์‚ฌ์šฉ์ž์˜ ID,PW๋ฅผ ๋งก๊ณ ์žˆ๋Š” ๊ฒƒ์ด๊ธฐ ๋•Œ๋ฌธ์— ์ •๋ณด๊ฐ€ ์œ ์‹ค๋˜์—ˆ์„ ๋•Œ ๊ฒช๊ฒŒ ๋  ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๊ณ ์ถฉ์ด ์žˆ์„ ๊ฒƒ์ด๋ฏ€๋กœ ๋‹ฌ๊ฐ‘์ง€ ์•Š์„ ๊ฒƒ์ด๋‹ค.

  • ๐ŸŒƒ ๊ทธ ์„œ๋น„์Šค ์ž…์žฅ
    ์ž์‹ ๋“ค์˜ ์‚ฌ์šฉ์ž ID,PW๋ฅผ ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ์„œ๋น„์Šค๊ฐ€ ๊ฐ€์ง€๊ณ  ์žˆ๋‹ค๋Š” ๊ฒƒ์€ ๋‚ดํ‚ค์ง€ ์•Š์„ ๊ฒƒ์ด๋‹ค.

์ด๋Ÿฌํ•œ ์ƒํ™ฉ..!์—์„œ ๋‚˜์˜ ์„œ๋น„์Šค(๐Ÿ‘ฉโ€๐Ÿ’ป)๋ฅผ ๊ตฌ์›์‹œ์ผœ์ค„

OAuth ๋“ฑ์žฅ!

OAuth๋ฅผ ์ด์šฉํ•˜๋ฉด ํ›จ์”ฌ ์•ˆ์ „์„ฑ์„ ๋†’์ผ ์ˆ˜ ์žˆ๋‹ค.

์œ„์˜ ๋ฐฉ๋ฒ•์—์„œ๋Š” ๋‚˜์˜ ์„œ๋น„์Šค๊ฐ€ ์‚ฌ์šฉ์ž๋“ค์ด ์ด์šฉํ•˜๋Š” ๊ทธ ์„œ๋น„์Šค์˜ ID,PW๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์—ˆ๋Š”๋ฐ,
๊ทธ๋Ÿฌ์ง€ ์•Š๊ณ !!

์‚ฌ์šฉ์ž์˜ ์š”์ฒญ์— ์˜ํ•ด์„œ ๊ทธ ์„œ๋น„์Šค๊ฐ€
ID, PW๋ฅผ ๋Œ€์‹ ํ•ด์„œ accessToken์ด๋ผ๋Š” ์ผ์ข…์˜ ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ๋ฐœ๊ธ‰ํ•ด์ค€๋‹ค.

accessToken๋ฅผ ๋ฐœ๊ธ‰ํ•  ๋•Œ์˜ ์žฅ์ 

  • accessToken๋Š” ID, PW๊ฐ€ ์•„๋‹ˆ๋‹ค
  • ๊ทธ ์„œ๋น„์Šค์˜ ๋ชจ๋“  ๊ธฐ๋Šฅ์ด ์•„๋‹ˆ๋ผ, ๊ทธ ์ค‘ ๋‚˜์˜ ์„œ๋น„์Šค๊ฐ€ ๊ผญ ํ•„์š”๋กœ ํ•˜๋Š” ๊ธฐ๋Šฅ๋“ค๋งŒ ๋ถ€๋ถ„์ ์œผ๋กœ ํ—ˆ์šฉํ•œ๋‹ค

๊ทธ๋ž˜์„œ!
๋‚˜์˜ ์„œ๋น„์Šค๊ฐ€ OAuth๋ฅผ ํ†ตํ•ด ๊ทธ ์„œ๋น„์Šค์˜ accessToken์„ ํš๋“ํ•œ ๋‹ค์Œ,
ํ•ด๋‹น accessToken์„ ํ†ตํ•ด ๊ทธ ์„œ๋น„์Šค์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค.

๊ทธ๋ ‡๊ฒŒ ์ ‘๊ทผ์„ ํ•ด์„œ ๋ฐ์ดํ„ฐ ๊ฐ€์ ธ์˜ค๊ธฐ, ์ˆ˜์ •ํ•˜๊ธฐ, ์ƒ์„ฑํ•˜๊ธฐ, ์‚ญ์ œํ•˜๊ธฐ.. ์™€ ๊ฐ™์€ ์ž‘์—…์„ ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋œ๋‹ค!

Resource Owner, Client, Resource Server

์ƒ๋‹จ์—์„œ ์ดํ•ด๋ฅผ ์œ„ํ•ด ํ‘œํ˜„ํ–ˆ๋˜ ์šฉ์–ด๋ฅผ

  • ๐Ÿ‘จโ€๐Ÿ‘ฉโ€๐Ÿ‘ฆโ€๐Ÿ‘ฆ ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์‚ฌ์šฉ์ž
    => Resource Owner
  • ๐Ÿ‘ฉโ€๐Ÿ’ป ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค
    => Client
  • ๐ŸŒƒ ๋‚ด๊ฐ€ ๋งŒ๋“  ์„œ๋น„์Šค๊ฐ€ ์—ฐ๋™ํ•˜๋ ค๊ณ  ํ•˜๋Š” ์„œ๋น„์Šค(google, naver...)
    => Resource Server

์œ„์™€ ๊ฐ™์ด ์ •๋ฆฌํ•  ์ˆ˜ ์žˆ๋‹ค. ๊ทธ๋ฆฌ๊ณ  Resource Owner, Client, Resource Server์˜ ๊ด€๊ณ„๊ฐ€ OAuth์˜ ํ•ต์‹ฌ์ด๋ผ๊ณ  ํ•  ์ˆ˜ ์žˆ๋‹ค!
OAuth์˜ ๊ณต์‹ ๋ฌธ์„œ๋ฅผ ๋ณด๋ฉด Authorization Server๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

*ํ•ด๋‹น ๊ฒŒ์‹œ๋ฌผ์—์„œ๋Š” Authrization Server๊นŒ์ง€ Resource Server๋กœ ๋ฌถ์—ˆ๋‹ค.

Resource Server๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ์„œ๋ฒ„์ด๊ณ ,
Authorization Server๋Š” ์ธ์ฆ ๊ด€๋ จ ์ฒ˜๋ฆฌ๋ฅผ ์ „๋‹ดํ•˜๋Š” ์„œ๋ฒ„์ด๋‹ค.

๋“ฑ๋ก

: Server, Owner, Client๊ฐ€ ์žˆ๋Š” ์ƒํ™ฉ์—์„œ Client๊ฐ€ Resource Server๋ฅผ ์ด์šฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ์‚ฌ์ „์— Resource Server์—๊ฒŒ ์Šน์ธ์„ ๋ฐ›์•„์•ผ ํ•˜๊ณ , ์ด๊ฒƒ์„ ๋“ฑ๋ก์ด๋ผ๊ณ  ํ•œ๋‹ค.

์„œ๋น„์Šค๋งˆ๋‹ค ๋“ฑ๋กํ•˜๋Š” ๋ฐฉ๋ฒ•์€ ๋‹ค ๋‹ค๋ฅด์ง€๋งŒ,
Client ID, Client Secret, Authorized redirect URIs
์ด ์„ธ๊ฐ€์ง€๋ฅผ ๋ฐ›๋Š”๋‹ค๋Š” ๊ณตํ†ต์ ์ด ์žˆ๋‹ค.

  • Client ID: ์šฐ๋ฆฌ๊ฐ€ ๋งŒ๋“ค๊ณ  ์žˆ๋Š” ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์„ ์‹๋ณ„ํ•˜๋Š” ์‹๋ณ„์ž (์™ธ๋ถ€ ๋…ธ์ถœ โญ•)
  • Client Secret: Client ID์— ๋Œ€ํ•œ ๋น„๋ฐ€๋ฒˆํ˜ธ (์™ธ๋ถ€ ๋…ธ์ถœ โŒโŒโŒโŒ)
  • Authorized redirect URIs: Resource Server๊ฐ€ ๊ถŒํ•œ์„ ๋ถ€์—ฌํ•˜๋Š” ๊ณผ์ •์—์„œ Authorized Code๋ผ๋Š” ๊ฐ’์„ ์ „๋‹ฌ ๋ฐ›์„ ์ฃผ์†Œ.
    (Resource Server๋Š” Authorized redirect URIs์™ธ์˜ ์ฃผ์†Œ๊ฐ€ ์š”์ฒญํ•˜๋ฉด ๋ฌด์‹œํ•จ)

์Šน์ธ

OAuth ๋“ฑ๋ก ์ ˆ์ฐจ๋ฅผ ๊ฑธ์น˜๋ฉด

  • Resource Server
    => Client ID / Client Secret / redirect URL
  • Client
    => Client ID / Client Secret

๊ฐ๊ฐ ์œ„์™€ ๊ฐ™์€ ์ •๋ณด๋ฅผ ์•Œ๊ฒŒ ๋œ๋‹ค. ๊ทธ๋ฆฌ๊ณ  Client๋Š” redirect URL์— ํ•ด๋‹นํ•˜๋Š” ํŽ˜์ด์ง€๋ฅผ ๊ตฌํ˜„ํ•ด๋†“์€ ์ƒํƒœ๋กœ ์ค€๋น„ํ•ด ๋†“์•„์•ผ ํ•œ๋‹ค.

Resource Server๊ฐ€ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ๊ธฐ๋Šฅ์ด A, B, C, D 4๊ฐœ๊ฐ€ ์žˆ๋‹ค๊ณ  ๊ฐ€์ •ํ•  ๋•Œ, Client๊ฐ€ Resource Server์— ๋ชจ๋“  ๊ธฐ๋Šฅ์ด ํ•„์š”ํ•œ ๊ฒƒ์ด ์•„๋‹ˆ๋ผ B, C 2๊ฐœ์˜ ๊ธฐ๋Šฅ๋งŒ ํ•„์š”ํ•˜๋‹ค๋ฉด ๋ชจ๋“  ๊ธฐ๋Šฅ์— ๋Œ€ํ•ด ์ธ์ฆ์„ ๋ฐ›๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ, ์ตœ์†Œํ•œ์˜ ๊ธฐ๋Šฅ(B, C)์— ๋Œ€ํ•ด์„œ๋งŒ ์ธ์ฆ์„ ๋ฐ›๋Š” ๊ฒƒ์ด ์„œ๋กœ ์ข‹์„ ๊ฒƒ์ด๋‹ค.

Resource Owner(user)๊ฐ€ ๋‚ด๊ฐ€ ๋งŒ๋“  ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜(Client)์— ์ ‘์† ํ•˜๋Š” ๊ณผ์ •์—์„œ Resource Server๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•˜๋Š” ์ƒํ™ฉ์ด๋ผ๋ฉด, Resource Owner์—๊ฒŒ Social Login์„ ํ•˜๋Š” UI(ํ˜น์€ ์ธ์ฆ์„ ๊ฑฐ์ณ์•ผ ํ•œ๋‹ค๋Š” ๋ฉ”์‹œ์ง€)๋ฅผ ์ œ๊ณตํ•  ๊ฒƒ์ด๋‹ค.
๊ทธ๋ฆฌ๊ณ  ์‚ฌ์šฉ์ž๊ฐ€ ๋™์˜๋ฅผ ํ•ด์•ผ ๋‹ค์Œ ๋‹จ๊ณ„๋กœ ์ง„ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค.
Social Login๊ณผ ๊ฐ™์€ ๊ฒฝ์šฐ๋Š” client id, scope(์›ํ•˜๋Š” ๊ธฐ๋Šฅ), redirect_url์ด ํฌํ•จ๋œ ์ฃผ์†Œ ๋งํฌ๋กœ ์ œ๊ณตํ•˜๋ฉด ๋œ๋‹ค.

Resource Owner๊ฐ€ Resource Server๋กœ ์ ‘์†์„ client id, scope(์›ํ•˜๋Š” ๊ธฐ๋Šฅ), redirect_url์ด ํฌํ•จ๋œ ์ฃผ์†Œ๋กœ ํ•˜๊ฒŒ ๋˜๋ฉด, Resource Server๊ฐ€ Resource Owner์˜ ๋กœ๊ทธ์ธ ์—ฌ๋ถ€๋ฅผ ๋ณด๊ณ  ๋กœ๊ทธ์ธ์ด ์•ˆ๋˜์–ด ์žˆ์œผ๋ฉด ๋กœ๊ทธ์ธ ํ•˜๋ผ๋Š” ํ™”๋ฉด์„ ๋ณด์—ฌ์ค€๋‹ค.

Resource Owner๊ฐ€ ๋กœ๊ทธ์ธ์„ ์„ฑ๊ณตํ–ˆ๋‹ค๋ฉด Resource Server๋Š” ๊ทธ๋•Œ์„œ์•ผ client id๊ฐ€ ๊ฐ™์€ ๊ฐ’์ด ์žˆ๋Š”์ง€๋ฅผ ํ™•์ธ ํ•˜๊ณ , Resource Server๊ฐ€ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” client id์˜ redirect URL๊ณผ ์ ‘์†์„ ์‹œ๋„ํ•˜๋Š” ์š”์ฒญ์˜ redirect URL๊ฐ’์„ ๋น„๊ตํ•œ๋‹ค.

  • ๋‹ค๋ฅด๋ฉด? ํ•ด๋‹น ์‹œ์ ์—์„œ ์ž‘์—…์„ ๋๋‚ธ๋‹ค.
  • ๊ฐ™๋‹ค๋ฉด? Resource Owner์—๊ฒŒ scope์— ํ•ด๋‹น๋˜๋Š” ๊ถŒํ•œ์„ Client์—๊ฒŒ ๋ถ€์—ฌํ•  ๊ฒƒ์ธ์ง€๋ฅผ ํ™•์ธํ•˜๋Š” ๋ฉ”์‹œ์ง€๋ฅผ ์ „์†กํ•œ๋‹ค. -> ํ—ˆ์šฉํ•จ์„ ์„ ํƒํ•˜๋ฉด ํ—ˆ์šฉํ–ˆ๋‹ค๊ณ  Resource Server์—๊ฒŒ ์ „์†ก๋œ๋‹ค. ๊ทธ๋Ÿฌ๋ฉด Resource Server๋Š” user id(Resource Owner์˜ id)์™€ scope์˜ ์ •๋ณด๋ฅผ ์ˆ˜์ง‘ํ•˜๊ฒŒ ๋œ๋‹ค.

์ธ์ฆ

Resource Owner์˜ ํ—ˆ๋ฝ์„ ํš๋“ํ–ˆ๋‹ค๋ฉด, Resource Server๊ฐ€ ์Šน์ธ์„ ํ•ด์ค˜์•ผ ํ•œ๋‹ค.
๊ทธ๋Ÿฌ๊ธฐ ์œ„ํ•ด์„œ๋Š” ๋ฐ”๋กœ accessToken์„ ๋ฐœ๊ธ‰ํ•˜์ง€ ์•Š๊ณ , ๊ทธ ์ „์˜ ์ ˆ์ฐจ๊ฐ€ ๋” ์กด์žฌํ•œ๋‹ค. (...๋ณต์žก ใ…Žใ…Ž...)
์ด ๋•Œ ์‚ฌ์šฉํ•˜๋Š” ์ž„์‹œ ๋น„๋ฐ€๋ฒˆํ˜ธ๊ฐ€ Authorization code์ด๋‹ค.

Resource Server๋Š” Authorization code๋ฅผ header๊ฐ’์œผ๋กœ Location๊ฐ’์„ ์ฃผ์–ด Resource Owner์—๊ฒŒ ์ „์†กํ•œ๋‹ค.
๊ทธ๋Ÿฌ๋ฉด Resource Owner์˜ ์›น ๋ธŒ๋ผ์šฐ์ €๋Š” Location header๊ฐ’์— ์˜ํ•ด์„œ ์‚ฌ์šฉ์ž๊ฐ€ ์ธ์‹ํ•˜์ง€ ๋ชปํ•˜๊ฒŒ ์€๋ฐ€ํžˆ Authorization code๊ฐ€ ๋‹ด๊ธด ์ฃผ์†Œ๋กœ ์ด๋™ํ•˜๊ฒŒ ๋œ๋‹ค. ๊ทธ๋Ÿฌ๋ฉด Client๋Š” Authorization code๊ฐ’์„ ๊ฐ–๊ฒŒ ๋œ๋‹ค.
์—ฌ๊ธฐ๊นŒ์ง€๋Š” Client๊ฐ€ Resource Server์—๊ฒŒ Authorization code ์ •๋ณด๋ฅผ ์ „์†กํ•ด์„œ accessToken์„ ๋ฐœ๊ธ‰ํ•˜๊ธฐ ์ „ ๋‹จ๊ณ„์ด๋‹ค.

Client๋Š” Resource Owner๋ฅผ ํ†ตํ•˜์ง€ ์•Š๊ณ  Resource Server์—๊ฒŒ ์ง์ ‘ ์ ‘์†ํ•œ๋‹ค. ์ด๋•Œ ์ ‘์† ์ฃผ์†Œ์—๋Š” Authorization code, redirect_url, Client ID, Client Secret์ด ํฌํ•จ๋˜๋Š”๋ฐ, Authorization code์™€ Client Secret ๋‘๊ฐœ์˜ ๋น„๋ฐ€ ์ •๋ณด๋ฅผ ๊ฒฐํ•ฉํ•ด์„œ Resource Server์—๊ฒŒ ์ „์†กํ•˜๊ฒŒ ๋œ๋‹ค. Resource Server๋Š” Authorization code๊ฐ’์„ ๋ณด๊ณ  ์ž์‹ ์ด ๊ฐ€์ง€๊ณ  ์žˆ๋Š” Authorization code๊ฐ’์ด ์ผ์น˜ํ•˜๋Š”์ง€๋ฅผ ํ™•์ธํ•œ๋‹ค. ํ•ด๋‹น Authorization code๊ฐ’์„ ๋ฐœ๊ธ‰ํ•œ Client ID์˜ Client Sceret๊ฐ’์„ ๋ณธ๋‹ค. ๊ทธ๋ฆฌ๊ณ  Resource Server๋Š” Client๊ฐ€ ์ „์†กํ•œ Authorization code, redirect_url, Client ID, Client Secret์ด ์™„์ „ํžˆ ์ผ์น˜ํ•˜๋Š”์ง€๋ฅผ ํ™•์ธํ•˜๊ณ , ๋ชจ๋‘ ์ผ์น˜ํ•œ๋‹ค๋ฉด ๊ทธ๋•Œ ๋‹ค์Œ ๋‹จ๊ณ„๋กœ ์ง„ํ–‰ํ•˜๊ฒŒ ๋œ๋‹ค. ๊ทธ ๋‹ค์Œ๋‹จ๊ณ„๋Š” ๋ฐ”๋กœ~ ~ ~ ~

accessToken ๋ฐœ๊ธ‰

Resource Server๊ฐ€ Client๋ฅผ ์Šน์ธํ•˜๋Š” ๊ณผ์ •์„
1) Client๊ฐ€ Resource Owner๋ฅผ ํ†ตํ•ด์„œ Authorization code๊ฐ’์„ ๋ฐ›์•˜๋‹ค๋ฉด
2) ๊ทธ ๋‹ค์Œ ๋‹จ๊ณ„๋กœ Client๋Š” Resource Server์—๊ฒŒ ์ง์ ‘ ์ •๋ณด๋ฅผ ์ „์†กํ•˜๊ณ 
3) ๊ทธ ์ •๋ณด ์ค‘์—์„œ ์•„์ฃผ ์ค‘์š”ํ•œ! ์™ธ๋ถ€์— ์ ˆ๋Œ€ ๋…ธ์ถœ๋˜์–ด์„œ๋Š” ์•ˆ๋˜๋Š”! Client Secret๋ฅผ Authorization code๊ฐ’๊ณผ ํ•จ๊ป˜ ์ง์ ‘ Resource Server์—๊ฒŒ ์ „์†ก

์ด๋ ‡๊ฒŒ ์ •๋ฆฌํ•ด๋ณผ ์ˆ˜ ์žˆ๋‹ค.

๊ทธ๋ ‡๋‹ค๋ฉด ์ด ๋‹ค์Œ ๋‹จ๊ณ„๋Š” accessToken์„ ๋ฐœ๊ธ‰์ด๋‹ค.
OAuth์˜ ๋ชฉ์ ์€??? accessToken์„ ๋ฐœ๊ธ‰ํ•˜๋Š” ๊ฒƒ!!

Resource Server๋Š” Authorization code๊ฐ’์„ ํ†ตํ•ด์„œ ์ด๋ฏธ ์ธ์ฆ์„ ํ–ˆ๊ธฐ์—, Authorization code๊ฐ’์€ ์ง€์šด๋‹ค.(Client์—์„œ๋„!)
-> ์žฌ์ธ์ฆ์„ ํ•˜์ง€ ์•Š๊ธฐ ์œ„ํ•จ!

๊ทธ๋ฆฌ๊ณ  ๋“œ๋””์–ด! Resource Server๋Š” accessToken์„ ๋ฐœ๊ธ‰ํ•œ๋‹ค. ๊ทธ๋ฆฌ๊ณ  accessToken์„ Client์—๊ฒŒ ์‘๋‹ตํ•ด์ค€๋‹ค. ๊ทธ๋Ÿผ Client๋Š” accessToken๊ฐ’์„ ๋‚ด๋ถ€์ (DB, file...)์œผ๋กœ ์ €์žฅํ•œ๋‹ค.

accessToken๋Š” Client๊ฐ€ ๋ฐ›์€ accessToken์œผ๋กœ ์ ‘๊ทผ์„ ํ•˜๊ฒŒ ๋˜๋ฉด, Resource Server๋Š” ๊ทธ accessToken๊ฐ’์„ ๋ณด๊ณ 
ํ•ด๋‹น ๊ฐ’์€ user id ~~์— ํ•ด๋‹น๋˜๋Š” ์‚ฌ์šฉ์ž์˜ ์œ ํšจํ•œ ๊ธฐ๋Šฅ(scope)์— ๋Œ€ํ•ด ๊ถŒํ•œ์ด ์—ด๋ ค ์žˆ๋Š” access key ์ด๋ฏ€๋กœ
์œ ํšจํ•œ ๊ธฐ๋Šฅ(scope)๊ณผ user id ~~์— ํ•ด๋‹นํ•˜๋Š” ์‚ฌ์šฉ์ž์˜ ์ •๋ณด์— ๋Œ€ํ•ด์„œ ํ•ด๋‹น accessToken๊ฐ’์„ ๊ฐ€์ง„ ์‚ฌ๋žŒ์—๊ฒŒ ํ—ˆ์šฉํ•˜๊ฒ ๋‹ค๊ณ  ๋™์ž‘ํ•œ๋‹ค.

API ํ˜ธ์ถœ

accessToken์„ ํ™œ์šฉํ•ด์„œ Resource Server๋ฅผ ํ•ธ๋“ค๋งํ•ด์•ผํ•œ๋‹ค! ๊ทธ๋Ÿฌ๊ธฐ ์œ„ํ•ด์„œ๋Š” Resource Server๊ฐ€ Client๋“ค์—๊ฒŒ ์•Œ๋ ค์ฃผ๋Š” ์‚ฌ์šฉ ๋ฐฉ์‹๋Œ€๋กœ ์กฐ์ž‘ํ•ด์•ผ ํ•œ๋‹ค.
=> ๊ทธ ๋ฐฉ์‹์ด ๋ฐ”๋กœ API(Application Programming Interface)

refresh token

accessToken์€ ์ˆ˜๋ช…์ด ์žˆ๋‹ค.
์ˆ˜๋ช…์ด ๋๋‚œ๋‹ค๋ฉด, API์— ์ ‘์†ํ–ˆ์„ ๋•Œ ๋”์ด์ƒ ๋ฐ์ดํ„ฐ๋ฅผ ์ฃผ์ง€ ์•Š๋Š”๋‹ค. ๊ทธ๋Ÿฌ๋ฉด ์–ด๋–ป๊ฒŒ ํ•˜๋‚˜..? accessToken์„ ๋‹ค์‹œ ๋ฐœ๊ธ‰ ๋ฐ›์•„์•ผ ํ•œ๋‹ค..!๊ทผ๋ฐ ๊ทธ๋Ÿด๋•Œ๋งˆ๋‹ค ์‚ฌ์šฉ์ž์—๊ฒŒ ๊ณผ์ •์„ ๊ฑฐ์น˜๊ฒŒ ํ•˜๋Š” ๊ฒƒ์€ ๋น„ํšจ์œจ์ ์ด๊ณ  ํž˜๋“  ์ผ์ด๋‹ค.
์ด๋Ÿด ๊ฒฝ์šฐ ์†์‰ฝ๊ฒŒ accessToken์„ ๋ฐœ๊ธ‰ ๋ฐ›์„ ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด ๋ฐ”๋กœ refresh token์ด๋‹ค.

RFC 6749 - The OAuth 2.0 Authorization Framework (Refresh Token)

์œ„์˜ ์ด๋ฏธ์ง€์—์„œ (F)๋ฅผ ๋ณด๋ฉด
accessToken์˜ ์ˆ˜๋ช…์ด ๋๋‚œ ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.
๊ทธ๋Ÿฌ๋ฉด Client๋Š” refresh token์„ Authorization Server์—๊ฒŒ ์ „๋‹ฌํ•˜๋ฉด์„œ accessToken์„ ๋‹ค์‹œ ๋ฐœ๊ธ‰ ๋ฐ›๋Š”๋‹ค.

(H) The authorization server authenticates the client and validates the refresh token, and if valid, issues a new access token (and, optionally, a new refresh token).

-> (H) ๊ตฌ๋ฌธ์„ ๋ณด๋ฉด ๊ฒฝ์šฐ์— ๋”ฐ๋ผ refresh token์ด ์ƒˆ๋กœ ๋ฐœ๊ธ‰๋˜๋Š” ๊ฒฝ์šฐ๋„ ์žˆ๊ณ , refresh token์€ ๋ฐœ๊ธ‰๋˜์ง€ ์•Š๊ณ  accessToken๋งŒ ๊ณ„์† ๋ฐœ๊ธ‰ ๋ฐ›๋Š” ๋ฐฉ์‹๋„ ์žˆ๋‹ค

์‚ฌ์šฉํ•˜๋Š” ์„œ๋ฒ„๋งˆ๋‹ค Refreshingํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ๋‹ค๋ฅด๊ธฐ ๋•Œ๋ฌธ์— ๋ฉ”๋‰ด์–ผ์„ ์ฐธ๊ณ ํ•ด์•ผ ํ•จ!

ํ•™์Šต - oAuth

profile
Front-end developer ๐Ÿ‘ฉโ€๐Ÿ’ปโœ

0๊ฐœ์˜ ๋Œ“๊ธ€