stackoom
  简体   繁体   中英

Why use Client Credentials flow?

 原文  2015-02-11 10:31:26       api/ oauth-2.0/ basic-authentication

Question

I've been looking at using oauth2 client credentials grant to secure my API (all users will be trusted 3rd parties). I'm following the same approach as paypal here: https://developer.paypal.com/docs/integration/direct/paypal-oauth2/

However, I see that HTTP:// basic auth is used to acquire a bearer token. Then the bearer token is used to secure the API calls.

What I don't understand is, if you're going to trust TLS and http: basic auth to retrieve the bearer token - why not just use http: basic auth for the API calls? What is the benefit of using bearer tokens?

What am I missing?

2 answers

solution1
 2  2016-01-13 09:13:25

Adding to what Ankit Saroch is saying, going the OAuth way with Tokens may open up other possibilities in the future; say you may want to extend the flow to include User information. By only validating tokens, this means you will probably not need to change the token validation (which is simple) in your service, but rather only the authentication and authorization steps.

But obviously you're right in what you are saying: The Client Credentials OAuth Flow is not more secure than simply using techniques like API Keys or Basic Authentication. All of those rely on the Client being confidential (it can keep its credentials to itself).

The OAuth Spec ( https://tools.ietf.org/html/rfc6749#section-2.1 ) talks about these Client Types. In total, it's worth reading the spec actually.

solution2
 1 ACCPTED  2015-02-11 11:02:50

As per The OAuth 2.0 Authorization Framework: Bearer Token Usage

The access token provides an abstraction, replacing different authorization constructs (eg, username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes.

The server that is authorizing the request and giving you the Bearer Token, may be different from the server that actually controls the resources that you are trying to access.

As per the RFC, they have been shown as two different entities. The one giving you the Bearer Token is Authorization Server and the one serving the resources is Resource Server .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What is the security difference between API Keys and the client credentials flow of OAuth? Securing a REST API written in PHP with OAuth2 client credentials flow Spotify API - Client Credentials Flow in Kotlin with Retrofit doesnt work Adding Applications programmatically in Azure AD using Client Credentials Flow I am using php to connect to spotify's API with PHP and with the client credentials flow Why use Customer/Buyer API credentials? Couldn't able to access the client access token from Dialog Flow, I need to use in Angular Application Obtain encrypted credentials from server or client? Securing API with client credentials via Azure AD Calling a secured API using Swift and Client Credentials
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM