On many sites, authorization buttons are available via VKontakte, Google, etc. I read the technology specification and studied the source code of the authorization project for the oauth application in php, but as far as I understood, in that project you can log in either on VKontakte or on the target site, but not on one through the other. Can the application use VKontakte authorization to authorize on the target site? If possible, what should be the query exchange script?

    2 answers 2

    Strictly speaking, this is about authentication, not authorization. Speaking of authorization, you mean providing user A with access to user A resources. User B. Authentication is the same process of verifying that User A is really User A.

    If we talk about authentication using external authenticating agents (such as social networks, such as VC), then yes, it is certainly possible.

    There is an authentication standard for OAuth2.0 methods from OpenID ( here ). This standard most accurately and fully describes all the necessary actions when authenticating a user on a client (your site) using an external authenticating agent (for example, VC).

    This protocol is somewhat complicated if you are using the Authorization Code Grant (see description here ). I will briefly describe its simplified version:

    1. The user wants to authenticate to the client (your site)
    2. The client redirects the user to an external authenticating agent (VC).
    3. The user is authenticated and authorizes the client to access some of its resources (for example, email)
    4. External authenticating agent redirects the user to the client, passes the authorization code
    5. The client receives the code, exchanges it with the agent for an access token.
    6. Client requests agent information about client using access token (site.com/userinfo)
    7. The agent returns information (for example, the user's email) and the client believes that the incoming user is the one whose information he received from the agent.

    This protocol is somewhat ambiguous, since in some sense it equals resource authorization and authentication, but it is most common. When using the full protocol OpenID Connect Basic, this trouble is somewhat smoothed out. In case this is critical, you should use OpenID Connect itself. It is already supported by a large number of services.

      After logging in to Vkontakte via oAuth, a redirect with get parameters is transmitted to the page specified in the parameters. You check the resulting code by trying to get access_token. If you succeed, you take out the name, login and authorize the user.

      • access_token from VC can be useful only to pull local methods. Yes, let's say I find out the name or login, but what exactly needs to be done after I logged in? - hwak
      • eg. you create an account in your system with a login from VKontakte and some kind of hash in the password. if there is an account with such a login, then you will have to authorize it by hash - eri