[英]Resource Owner grant type requiring client_id and client_secret in yii2-oauth2-server
Why the password grant_type must be provided with client credentials (in this implementation)???. 为什么密码grant_type必须提供客户端凭据(在此实现中)??? The oauth2 resource owner spec just needs oauth2资源所有者规范只需要
{
"grant_type" : "password",
"username" : "some_user_name",
"password" : "some_password"
}
This implementation also requires the client_id and client_secret to be sent with this request to be successfull. 此实现还要求client_id和client_secret与此请求一起发送以成功。
I just want to know if I'm missing something 我只是想知道我是否遗漏了什么
Please refer also to http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps 请参阅http://andyfiedler.com/2014/09/how-secure-is-the-oauth2-resource-owner-password-credential-flow-for-single-page-apps
I want to grant access from my SPA to my protected resource. 我想授予从SPA到受保护资源的访问权限。 Exposing client credentials in the browser source code is potentially dangerous. 在浏览器源代码中公开客户端凭据具有潜在的危险性。
Also, the original library at https://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/ doesn't force client credential in resource owner grant type 此外, https://bshaffer.github.io/oauth2-server-php-docs/overview/grant-types/上的原始库不会强制资源所有者授予类型中的客户端凭据
Update 1 13-12-2016 更新1 13-12-2016
Reading at the original library, I figured out that they have de concept of "public client" (that is, a client with no client_secret). 在原始图书馆阅读时,我发现他们有“公共客户”概念(即没有client_secret的客户端)。
Using a public client, I can ommit the client_secret from the request. 使用公共客户端,我可以从请求中省略client_secret。 Anyway, I read again the resource owner spec, and no mention of that appears on it. 无论如何,我再次阅读资源所有者规范,并没有提到它。
That way, a resource owner token request must be performed this way (non-standar) 这样,必须以这种方式执行资源所有者令牌请求(非标准)
{
"grant_type" : "password",
"username" : "some_user_name",
"password" : "some_password"
"cliend_id" : "some_client_id"
}
Bye 再见
Thanks 谢谢
For reference purposes the OAuth2 specification does cater for that scenario where a client without a secret can still pass the client_id
parameter in the request body even though client authentication will not be completed. 出于参考目的,OAuth2规范确实满足了这样的情况:即使客户端身份验证无法完成,没有机密的客户端仍然可以在请求正文中传递client_id
参数。 In section 2.3.1 you have: 在2.3.1节中,您有:
(...) the authorization server MAY support including the client credentials in the request-body using the following parameters: (...)授权服务器可以使用以下参数支持在请求体中包含客户端凭证:
client_id CLIENT_ID
REQUIRED. 需要。 The client identifier issued to the client during the registration process described by Section 2.2. 在第2.2节描述的注册过程中发给客户端的客户端标识符。client_secret client_secret
REQUIRED. 需要。 The client secret. 客户的秘密。 The client MAY omit the parameter if the client secret is an empty string. 如果客户端密钥是空字符串,则客户端可以省略该参数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.