限制 OAuth 2.0 流程的范围
[英]Limiting the scopes of an OAuth 2.0 flow
问题描述
I want to set up a OAuth 2.0 flow in my code.
我想在我的代码中设置 OAuth 2.0 流。
I want my code, to be limited to specific scopes (even if someone accidentally writes some extra code to request additional ones).我希望我的代码仅限于特定范围(即使有人不小心编写了一些额外的代码来请求额外的代码)。
Let's assume I want my code to be able to only access photos in facebook.假设我希望我的代码只能访问 facebook 中的照片。
Is the only place to restrict the scope during the request to the authorisation server, eg是向授权服务器请求期间唯一限制范围的地方,例如
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email&state=1234zyx
Or is there a way to enforce this restriction when issuing client_id and client_secret so that the following request will eventually fail?或者有没有办法在发出client_id和client_secret时强制执行此限制,以便以下请求最终失败?
https://facebook.com/dialog/oauth?response_type=code&client_id=CLIENT_ID
&redirect_uri=REDIRECT_URI&scope=email,posts&state=1234zyx
My use case is for google APIs btw.我的用例是针对谷歌 API 的。
1 个解决方案
解决方案1
1 已采纳 2022-06-29 09:07:13
Not enough details provided to know what you are trying to accomplish;没有提供足够的详细信息来了解您要完成的工作; But generally:但一般来说:
- The OAuth client may request any scope desired. OAuth 客户端可以请求任何所需的范围。
- The resource owner (Could be end user "consent screen" or Google if using APIs) may NOT delegate some or all requested scopes.资源所有者(如果使用 API,可能是最终用户“同意屏幕”或 Google)可能不会委托部分或全部请求的范围。
- The Authorization Server may ignore some or all requested scopes for many reasons.由于许多原因,授权服务器可能会忽略部分或全部请求的范围。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.