gpt4 book ai didi

oauth - 为什么 OAuth 2 有资源所有者密码凭证授予?

转载 作者:行者123 更新时间:2023-12-04 07:35:34 25 4
gpt4 key购买 nike

为什么有人会在这种授权下使用 OAuth 2?我的意思是,如果客户端已经拥有资源所有者的名称和密码,为什么不使用资源服务器使用的任何身份验证工具作为资源所有者进行身份验证?

我不明白这里的理由。有人可以解释一下吗?

最佳答案

正如规范所提到的,资源所有者密码凭证授予是出于迁移目的,并且仅适用于(通常)客户端和授权服务器由同一方控制的场景,https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3 :

The resource owner password credentials (i.e., username and password)can be used directly as an authorization grant to obtain an access
token. The credentials should only be used when there is a high
degree of trust between the resource owner and the client (e.g., the
client is part of the device operating system or a highly privileged
application), and when other authorization grant types are not
available (such as an authorization code).


它允许在客户端和资源服务器之间使用标准 token 和协议(protocol)(例如 OAuth 2.0 承载 token ),同时使用“待弃用”的方式在客户端和授权服务器之间获取 token 。 https://www.rfc-editor.org/rfc/rfc6749#section-10.7 :

The resource owner password credentials grant type is often used for
legacy or migration reasons. It reduces the overall risk of storing
usernames and passwords by the client but does not eliminate the needto expose highly privileged credentials to the client.

This grant type carries a higher risk than other grant typesbecause it maintains the password anti-pattern this protocol seeksto avoid. The client could abuse the password, or the passwordcould unintentionally be disclosed to an attacker (e.g., via logfiles or other records kept by the client).

Additionally, because the resource owner does not have control overthe authorization process (the resource owner's involvement ends whenit hands over its credentials to the client), the client can obtain
access tokens with a broader scope than desired by the resource
owner. The authorization server should consider the scope and
lifetime of access tokens issued via this grant type.

The authorization server and client SHOULD minimize use of thisgrant type and utilize other grant types whenever possible.

关于oauth - 为什么 OAuth 2 有资源所有者密码凭证授予?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33991050/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com