This topic describes how mobile applications and desktop applications access Photo and Drive Service (PDS) by using OAuth 2.0.
1. Overview
Mobile applications and desktop applications are native applications. It is not secure to store confidential information such as AppSecrets in these applications.
A mobile application for Android or iOS can wake up an authorization application by using a URL scheme.
A desktop application for macOS, Linux, or Windows can wake up an authorization application by using a loopback IP address or a URL scheme.
Alternatively, your application can use WebView to send an authorization request to a web application.
(1) How it works
Authorization code mode: The access process by using an authorization code for a mobile application or desktop application is similar to that for a web application. The only difference is that you do not need to provide an AppSecret to obtain an access token. This is because no web server exists and it is not secure to store an AppSecret in a mobile application or desktop application. However, you can use a code_challenge to enhance security.
(2) Flowchart
(3) Proof Key mechanism
Native applications allow you to use the Proof Key mechanism to obtain an authorization code and exchange the authorization code for an access token.
The PKCE specification can be used to mitigate interception attacks against authorization codes.
1. A native application generates and saves a code_verifier. The code verifier is a random string.
A code_verifier is a high-entropy random string that can contain uppercase and lowercase letters, digits, hyphens (-), periods (.), underscores (_), and tildes (~). The string must be 43 to 128 characters in length.
2. The native application generates a code_challenge based on the transform method. The native application submits both the code_challenge and the transform method to request an authorization code.
code_challenge = transform(code_verifier, [Plain|S256])Method | Description |
plain | If the transform method is set to plain, the code_challenge is the same as the code_verifier. |
S256 | If the transform method is set to S256, the code_challenge is the SHA-256 hash of the code_verifier. |
code_challenge=BASE64URL-Encode(SHA256(ASCII(code_verifier)))
The input of the hash algorithm is the ASCII-encoded string of the code_verifier. The output of the hash algorithm is the BASE64-URL-encoded hash.
For example, if the S256 method is used and the code_verifier is dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk, the code_challenge is E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM.
3. After an authorization code is obtained, the native application exchanges the authorization code for an access token. The PDS authorization server verifies the code_challenge and issues the access token.
The authorization code must include the code_verifier. The PDS authorization server calculates a code_challenge by using the code_verifier and transform method provided by the application and compares the result with the code_challenge provided by the native application. The PDS authorization server issues an access token only if the calculated result is the same as the code_challenge provided by the native application.
2. Preparations
(1) Create a domain
Create a domain in the PDS console. After a domain is created, a third-level API domain name in the format of https://{domainId}.api.aliyunpds.com is provided.
(2) Apply for an AppId and an AppSecret on a third-party platform that provides a user system
PDS provides several commonly used user authentication methods, which developers can directly enable by accessing the PDS console. For more details, please refer to the introduction of User system configuration.
(3) Create an application to be used as an OAuth client in the PDS console
Create a native application. Specify the scopes of the application. The scopes will be displayed on the consent page. After the application is created, you can obtain the AppId and AppSecret of the application. The AppId and AppSecret are used as the ClientId and ClientSecret for OAuth authorization. Keep the ClientSecret secure.
(4) Plan a redirect URI
Use a custom URL scheme that is applicable to an Android or iOS application
Register a URL scheme for an application to uniquely identify the application. The scheme is in the following format: <scheme domain name>://<path>?<params>=<value>.
Use a custom lookback IP address that is applicable to a desktop application
You can start a local web service to listen on a port. Example: http://127.0.0.1:3000/callback or http://[::1]:3000.
3. Obtain an OAuth 2.0 access token
(1) Call the Authorize operation
API request syntax:
GET /v2/oauth/authorize?client_id=<appId>&redirect_uri=<redirect_uri>&scope=<scope>&state=[state]&prompt=[prompt] HTTP/1.1
Host: {domainId}.api.aliyunpds.comParameter | Required | Description |
client_id | Yes | The AppId of your application. If you do not have an AppId, create an application to obtain an AppId in the PDS console. |
redirect_uri | Yes | The URI to which the PDS authorization server redirects users after the authorization process is complete. Set this parameter to the URL scheme or lookback IP address provided by the application. Example: |
scope | Yes | The scopes that specify the permissions required by your application. The scopes will be displayed on the consent page. For more information, see Scopes. |
response_type | Yes | The type of the response. Set the value to code. |
state | No, but recommended | If this parameter is specified, the PDS authorization server returns this value intact in the redirect URI to prevent replay attacks. Example: |
code_challenge_method | No, but recommended | If you do not specify this parameter, the default value plain is used. |
code_challenge | No, but recommended | Use the method specified by the code_challenge_method parameter to convert and encode a random code_verifier to obtain a code_challenge. Set the code_challenge parameter to the code_challenge in the request for an authorization code. |
After a user sends this request, the PDS authorization server instructs the user to log on. If the user logs on for the first time and prompt=consent is specified in the request, the PDS authorization server redirects the user to the consent page. Otherwise, the PDS authorization server redirects the user to the redirect URI specified by the redirect_uri parameter. Example: pdshz001://callback/?code=xxxx&state=abc.
(2) Grant permissions to the application on the consent page
On the consent page, the user can decide whether to grant the specified permissions to the application. If the user refuses to grant the permissions, the process ends. If the user agrees to grant the permissions, the PDS authorization redirects the user to the redirect URI specified by the redirect_uri parameter. Example: pdshz001://callback/?code=xxxx&state=abc.
(3) Exchange the authorization code for an access token
After the authorization code is obtained, you can call the Token operation to exchange the authorization code for an access token.
API request syntax:
POST /v2/oauth/token HTTP/1.1
Host: {domainId}.api.aliyunpds.com
Content-Type: application/x-www-form-urlencoded
code=xxx\
&client_id=your_app_id\
&redirect_uri=pdshz001://callback\
&grant_type=authorization_code\
&code_verifier=xxxxParameter | Required | Description |
code | Yes | The one-off authorization code. |
client_id | Yes | AppId |
redirect_uri | Yes | This redirect URI that you configure for your application. |
grant_type | Yes | Set the value to authorization_code based on the OAuth 2.0 specifications. |
code_verifier | No | The code_verifier that you use to generate the code_challenge in the request for an authorization code. |
Response parameters
Parameter | Location | Type | Required | Description |
access_token | body | String | Yes | The generated access token, which is valid for two hours. |
refresh_token | body | String | Yes | The refresh token that is used to refresh the access token. In most cases, the validity period of a refresh token is seven days. |
expires_time | body | String | Yes | The validity period of the access token. |
token_type | body | String | Yes | The value is Bearer. |
Sample success response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"Aiasd76YSo23...LSdyssd2",
"expires_time":"2019-11-11T10:10:10.009Z",
"token_type":"Bearer",
"refresh_token":"LSLKdklksd...li3ew6"
}Ignore the optional parameters in the response.
4. Call PDS API operations
The application can use the access token to call PDS API operations. The access token must be included in the Authorization header of API requests.
For more information, see Invoking Methods.
5. Refresh the access token
(1) API request syntax
POST /v2/oauth/token HTTP/1.1
Host: {domainId}.api.aliyunpds.com
Content-Type: application/x-www-form-urlencoded
refresh_token=xxx\
&client_id=xxx\
&client_secret=xxx\
&grant_type=refresh_tokenRequest parameters
Parameter | Required | Description |
refresh_token | Yes | The refresh token that is returned when you exchange the authorization code for the access token. |
client_id | Yes | The AppId of your application. |
grant_type | Yes | Set the value to refresh_token based on the OAuth 2.0 specifications. |
client_secret | No | The AppSecret of your application. The AppSecret is used to authenticate the application. |
(2) Response
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"xxxxxxxxx",
"expires_in":3920,
"expire_time":"2019-11-11T10:10:10.009Z",
"token_type":"Bearer"
}Response parameters
Parameter | Description |
access_token | The new access token that can be used to call PDS API operations. |
expires_in | The remaining validity period of the access token. Unit: seconds. |
expire_time | The expiration time of the access token, in the ISO 8601 standard. |
token_type | The type of the access token. The value is Bearer. |
Note: The response to a request for refreshing an access token is the same as that to a request for exchanging an authorization code for an access token except that no refresh token is returned.