为什么要使用Client Credentials流程?
[英]Why use Client Credentials flow?
问题描述
I've been looking at using oauth2 client credentials grant to secure my API (all users will be trusted 3rd parties). 
我一直在寻找使用oauth2客户端凭据授权来保护我的API(所有用户都将成为第三方信任的用户)。 I'm following the same approach as paypal here: https://developer.paypal.com/docs/integration/direct/paypal-oauth2/ 我在这里采用与paypal相同的方法: https : //developer.paypal.com/docs/integration/direct/paypal-oauth2/
However, I see that HTTP:// basic auth is used to acquire a bearer token. 但是,我看到HTTP:// basic auth用于获取承载令牌。 Then the bearer token is used to secure the API calls. 然后,承载令牌用于保护API调用。
What I don't understand is, if you're going to trust TLS and http: basic auth to retrieve the bearer token - why not just use http: basic auth for the API calls? 我不明白的是,如果您要信任TLS和http:basic auth来检索承载令牌 - 为什么不使用http:basic auth进行API调用? What is the benefit of using bearer tokens? 使用承载令牌有什么好处?
What am I missing? 我错过了什么?
2 个解决方案
解决方案1
2 2016-01-13 09:13:25
Adding to what Ankit Saroch is saying, going the OAuth way with Tokens may open up other possibilities in the future; 除了Ankit Saroch所说的内容之外,与Tokens一起采用OAuth方式可能会在未来开辟其他可能性; say you may want to extend the flow to include User information. 假设您可能希望扩展流程以包含用户信息。 By only validating tokens, this means you will probably not need to change the token validation (which is simple) in your service, but rather only the authentication and authorization steps. 通过仅验证令牌,这意味着您可能不需要在服务中更改令牌验证(这很简单),而只需要更改身份验证和授权步骤。
But obviously you're right in what you are saying: The Client Credentials OAuth Flow is not more secure than simply using techniques like API Keys or Basic Authentication. 但显然你说的是对的:客户端凭证OAuth流并不比简单地使用API密钥或基本身份验证等技术更安全 。 All of those rely on the Client being confidential (it can keep its credentials to itself). 所有这些都依赖于客户端的机密(它可以保留自己的凭据)。
The OAuth Spec ( https://tools.ietf.org/html/rfc6749#section-2.1 ) talks about these Client Types. OAuth规范( https://tools.ietf.org/html/rfc6749#section-2.1 )讨论了这些客户端类型。 In total, it's worth reading the spec actually. 总的来说,实际上值得阅读规范。
解决方案2
1 已采纳 2015-02-11 11:02:50
As per The OAuth 2.0 Authorization Framework: Bearer Token Usage 根据OAuth 2.0授权框架:承载令牌使用情况
The access token provides an abstraction, replacing different authorization constructs (eg, username and password, assertion) for a single token understood by the resource server.
The server that is authorizing the request and giving you the Bearer Token, may be different from the server that actually controls the resources that you are trying to access. 授权请求并为您提供承载令牌的服务器可能与实际控制您尝试访问的资源的服务器不同。
As per the RFC, they have been shown as two different entities. 根据RFC,它们被显示为两个不同的实体。 The one giving you the Bearer Token is Authorization Server and the one serving the resources is Resource Server . 授予您承载令牌的是授权服务器 ,服务资源的是资源服务器 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.