java 身份验证流程中 grant_type=client_credentials 和 grant_type=password 之间的区别?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/34842895/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Difference between grant_type=client_credentials and grant_type=password in Authentication Flow?
提问by Saminda Alahakoon
I would like to understand the difference between grant_type=client_credentialsand grant_type=passwordin Authenticationor in OAuth2 Flowconcept. I am following below sites:
我想明白之间的差别grant_type=client_credentials,并grant_type=password在Authentication或OAuth2 Flow概念。我正在关注以下网站:
I presume grant_type=passwordin not secureway as far as using gran_typein JavaScript development. But I still wounder can someone help to understand this concept.
我认为grant_type=password在JavaScript 开发中not secure使用的方式gran_type。但我仍然很受伤,有人可以帮助理解这个概念。
I also observe that grant_type=client_credentialsdoesn't provide "refresh_token", it only provides access_tokenwhere as grant_type=passwordprovides both access_tokenand refresh_token.
我还观察到grant_type=client_credentials不提供“ refresh_token”,它只提供access_tokenwhere asgrant_type=password提供access_token和refresh_token.
Hoping to get detailed explanation. I am using WSO2 API Managerfor OAuth2 for my application development
希望得到详细的解释。我将WSO2 API ManagerOAuth2 用于我的应用程序开发
回答by Saminda Alahakoon
Resource owner credentials grant (password grant type)
资源所有者凭据授予(密码授予类型)
When this grant is implemented the client itself will ask the user for their username and password (as opposed to being redirected to an IdP authorisation server to authenticate) and then send these to the authorisation server along with the client's own credentials. If the authentication is successful then the client will be issued with an access token.
实施此授权时,客户端本身将要求用户提供他们的用户名和密码(而不是重定向到 IdP 授权服务器进行身份验证),然后将这些与客户端自己的凭据一起发送到授权服务器。如果身份验证成功,则客户端将获得访问令牌。
This grant is suitable for trusted clients such as a service's own mobile client (for example Spotify's iOS app). You could also use this in software where it's not easy to implement the authorisation code - for example we bolted this authorisation grant into OwnCloudso we could retrieve details about a user that we couldn't access over LDAP from the university's Active Directory server.
此授权适用于受信任的客户端,例如服务自己的移动客户端(例如 Spotify 的 iOS 应用程序)。您也可以在不容易实现授权代码的软件中使用它 - 例如,我们将此授权授权附加到OwnCloud 中,以便我们可以检索有关我们无法从大学的 Active Directory 服务器通过 LDAP 访问的用户的详细信息。
Client credentials grant
客户端凭据授予
This grant is similar to the resource owner credentials grant except only the client's credentials are used to authenticate a request for an access token. Again this grant should only be allowed to be used by trusted clients.
此授权类似于资源所有者凭据授权,不同之处在于仅使用客户端的凭据来验证对访问令牌的请求。同样,此授权应仅允许由受信任的客户端使用。
This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Another example would be a client making requests to an API that don't require user's permission.
此授权适用于机器对机器的身份验证,例如用于通过 API 执行维护任务的 cron 作业。另一个示例是客户端向不需要用户许可的 API 发出请求。
When someone visits a member of staff's page on the University of Lincoln staff directorythe website uses its own access token (that was generated using this grant) to authenticate a request to the API server to get the data about the member of staff that is used to build the page. When a member of staff signs in to update their profile however their own access token is used to retrieve and update their data. Therefore there is a good separation of concerns and we can easily restrict permissions that each type of access token has.
当有人访问林肯大学员工目录上的员工页面时,该网站使用自己的访问令牌(使用此授权生成)来验证对 API 服务器的请求,以获取有关所用员工的数据构建页面。然而,当员工登录更新他们的个人资料时,他们自己的访问令牌将用于检索和更新他们的数据。因此有一个很好的关注点分离,我们可以很容易地限制每种类型的访问令牌所具有的权限。
