简体繁体 English

授权码包含什么？

[英]What does a Authorization Code contains?

原文 2017-03-14 11:52:45 0 1 node.js/ oauth-2.0/ authorization

Authorization code flow - User logs in from client app, authorization server returns an authorization code to the app. 授权码流-用户从客户端应用登录，授权服务器向应用返回授权码。 The app then exchanges the authorization code for access token.So, I want to know what is the content that authorization server sends as authorization code?I mean what code or signature does a authorization code contains? 然后，应用程序将授权码交换为访问令牌，因此，我想知道授权服务器作为授权码发送的内容是什么？我的意思是授权码包含什么代码或签名？

1 个解决方案

Authorization Code in oAuth is explained in the RFC for oAuth, in section 1.3.1 called Authorization Code. oAuth的RFC在1.3.1节（称为授权代码）中说明了oAuth中的授权代码。 See: 看到：

https://tools.ietf.org/html/rfc6749#section-1.3.1 https://tools.ietf.org/html/rfc6749#section-1.3.1

The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. 通过使用授权服务器作为客户端和资源所有者之间的中介，可以获取授权代码。 Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server (via its user-agent as defined in [RFC2616]), which in turn directs the resource owner back to the client with the authorization code. 客户端不是直接从资源所有者请求授权，而是将资源所有者定向到授权服务器（通过[RFC2616]中定义的用户代理），后者又将资源所有者与授权代码一起引导回客户端。

Before directing the resource owner back to the client with the authorization code, the authorization server authenticates the resource owner and obtains authorization. 在使用授权码将资源所有者引导回客户端之前，授权服务器对资源所有者进行身份验证并获得授权。 Because the resource owner only authenticates with the authorization server, the resource owner's credentials are never shared with the client. 由于资源所有者仅通过授权服务器进行身份验证，因此资源所有者的凭据永远不会与客户端共享。

The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner. 授权代码提供了一些重要的安全益处，例如对客户端进行身份验证的能力，以及将访问令牌直接传输到客户端的过程，而无需将其传递给资源所有者的用户代理，并且可能会将其暴露给其他人，包括资源所有者。

It is explained in more details with block diagrams in section 4.1 Authorization Code Grant, and in section 10.5 Authorization Codes. 在4.1授权代码授权和10.5授权代码中将使用框图更详细地说明该功能。 See: 看到：

Some relevant quotes from the documentation referenced above: 上面引用的文档中的一些相关引用：

The transmission of authorization codes SHOULD be made over a secure channel, and the client SHOULD require the use of TLS with its redirection URI if the URI identifies a network resource. 授权代码的传输应在安全通道上进行，如果URI标识了网络资源，则客户端应要求使用带有其重定向URI的TLS。 Since authorization codes are transmitted via user-agent redirections, they could potentially be disclosed through user-agent history and HTTP referrer headers. 由于授权代码是通过用户代理重定向发送的，因此有可能通过用户代理历史记录和HTTP引用来源标头公开它们。

Authorization codes operate as plaintext bearer credentials, used to verify that the resource owner who granted authorization at the authorization server is the same resource owner returning to the client to complete the process. 授权代码用作纯文本承载凭据，用于验证在授权服务器上授予授权的资源所有者是否与返回客户端以完成该过程的资源所有者相同。 Therefore, if the client relies on the authorization code for its own resource owner authentication, the client redirection endpoint MUST require the use of TLS. 因此，如果客户端依靠授权码进行自己的资源所有者身份验证，则客户端重定向终结点务必要求使用TLS。

Authorization codes MUST be short lived and single-use. 授权码必须是短期的且只能使用一次。 If the authorization server observes multiple attempts to exchange an authorization code for an access token, the authorization server SHOULD attempt to revoke all access tokens already granted based on the compromised authorization code. 如果授权服务器观察到多次尝试为访问令牌交换授权代码，则授权服务器应尝试基于泄露的授权代码撤回已授予的所有访问令牌。

If the client can be authenticated, the authorization servers MUST authenticate the client and ensure that the authorization code was issued to the same client. 如果可以对客户端进行身份验证，则授权服务器必须对客户端进行身份验证，并确保将授权代码发布给相同的客户端。