RFC 6749（OAuth 2.0 授权框架）中的图 3 和图 4

Question

In this RFC , I struggle to understand the diagrams in Figures 3 (Authorization Code Flow) and 4 (Implicit Grant Flow).在这个RFC中，我很难理解图 3（授权代码流程）和 4（隐式授权流程）中的图表。

In both cases at point (B), it says "The authorization server authenticates the resource owner (via the user-agent)".在 (B) 点的两种情况下，它都显示“授权服务器验证资源所有者（通过用户代理）”。 The (B) arrow has two ends, one towards Resource owner and one towards Authorization server. (B) 箭头有两端，一端指向资源所有者，一端指向授权服务器。

 +----------+
 | Resource |
 |   Owner  |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier      +---------------+
 |         -+----(A)-- & Redirection URI ---->|               |
 |  User-   |                                 | Authorization |
 |  Agent  -+----(B)-- User authenticates --->|     Server    |
 |          |                                 |               |
 |         -+----(C)-- Authorization Code ---<|               |
 +-|----|---+                                 +---------------+
   |    |                                         ^      v
  (A)  (C)                                        |      |
   |    |                                         |      |
   ^    v                                         |      |
 +---------+                                      |      |
 |         |>---(D)-- Authorization Code ---------'      |
 |  Client |          & Redirection URI                  |
 |         |                                             |
 |         |<---(E)----- Access Token -------------------'
 +---------+       (w/ Optional Refresh Token)

                 Figure 3: Authorization Code Flow (actual)

It seems to me that the arrow should go from Resource owner to Authorization server, as the RO is the one that has to actively enter his credentials.在我看来，箭头应该 go 从资源所有者到授权服务器，因为 RO 是必须主动输入其凭据的人。

 +----------+
 | Resource |
 |   Owner  |
 |          |
 +----------+
      v
      |
     (B)
 +----|-----+          Client Identifier      +---------------+
 |         -+----(A)-- & Redirection URI ---->|               |
 |  User-   |                                 | Authorization |
 |  Agent  -+----(B)-- User authenticates --->|     Server    |
 |          |                                 |               |
 |         -+----(C)-- Authorization Code ---<|               |
 +-|----|---+                                 +---------------+
   |    |                                         ^      v
  (A)  (C)                                        |      |
   |    |                                         |      |
   ^    v                                         |      |
 +---------+                                      |      |
 |         |>---(D)-- Authorization Code ---------'      |
 |  Client |          & Redirection URI                  |
 |         |                                             |
 |         |<---(E)----- Access Token -------------------'
 +---------+       (w/ Optional Refresh Token)

                 Figure 3: Authorization Code Flow (more correct?)

Anyway, I don't understand what this double arrow is supposed to mean.无论如何，我不明白这个双箭头应该是什么意思。 Is this a typo?这是一个错字吗？ Am I missing something here?我在这里错过了什么吗？

Answer 1

It means that the user-agent (the browser) tries to reach the resource owner, but then it is being redirected to authorization server.这意味着用户代理（浏览器）试图联系资源所有者，但随后它被重定向到授权服务器。 So the 'B' arrow should not be from the resource owner to the authorization server.所以'B'箭头不应该是从资源所有者到授权服务器。

RFC 6749（OAuth 2.0 授权框架）中的图 3 和图 4

问题描述

1 个解决方案

解决方案1
0 2021-12-30 13:09:06

RFC 6749（OAuth 2.0 授权框架）中的图 3 和图 4

问题描述

1 个解决方案

解决方案1 0 2021-12-30 13:09:06

解决方案1
0 2021-12-30 13:09:06