个人中心
gpt4 book ai didi

oauth-2.0 - 用没有客户端密码的授权码替换 OAuth2 隐式授权

转载 作者:行者123 更新时间:2023-12-04 15:29:54 24 4
gpt4 key购买 nike

一些公司正在使用 OAuth 2.0 Auth Code without Client Secret 来代替 Implicit Grant 用于客户端 JavaScript 应用程序。使用没有客户端 secret 的身份验证代码与隐式授予的一般优势/权衡是什么?是否有更多的公司和/或标准组织采取这种方式?

根据本文和下面的 IETF OAuth 邮件列表帖子,Red Hat、Deutsche Telekom 和其他公司已经采取了这种方式。

  • https://aaronparecki.com/oauth-2-simplified/

    • Implicit was previously recommended for clients without a secret, but has been superseded by using the Authorization Code grant with no secret.

    ...

    Previously, it was recommended that browser-based apps use the "Implicit" flow, which returns an access token immediately and does not have a token exchange step. In the time since the spec was originally written, the industry best practice has changed to recommend that the authorization code flow be used without the client secret. This provides more opportunities to create a secure flow, such as using the state parameter. References: Redhat, Deutsche Telekom, Smart Health IT.



    以下是上面引用的消息。

    Red Hat

    For our IDP [1], our javascript library uses the auth code flow, but requires a public client, redirect_uri validation, and also does CORS checks and processing. We did not like Implicit Flow because

    1) access tokens would be in the browser history

    2) short lived access tokens (seconds or minutes) would require a browser redirect



    Deutsche Telekom

    Same for Deutsche Telekom. Our javascript clients also use code flow with CORS processing and of course redirect_uri validation.



    SMART Health IT

    We've taken a similar approach for SMART Health IT [1], using the code flow for public clients to support in-browser apps, and <1h token lifetime. (We also allow these public clients to request a limited-duration refresh token by asking for an "online_access" scope; these refresh tokens stop working when the user's session with the AS ends — useful in systems where that session concept is meaningful.)

    最佳答案

    2018 年底,公共(public)客户(SPA 应用程序)的范式发生了重大变化。先前推荐的隐式流程受到了原始问题中引用的许多方面的批评。 2018 年 12 月,发布了两份 IETF 草案,描述了可能的攻击媒介和最佳实践。两者都建议使用授权码流而不是隐式流。
    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-11
    https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-00

    关于oauth-2.0 - 用没有客户端密码的授权码替换 OAuth2 隐式授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50577152/

    24 4 0
    文章推荐: webpack - 如何通过 webpack 插件将常规 commonjs 模块转换为外部模块?
    文章推荐: 处理 None 和 with Statement 的 Pythonic 方法
    文章推荐: node.js - 我应该使用中间件还是守卫来通过 Auth0 和 nestjs 进行身份验证?
    文章推荐: GitLab Runner 没有运行特权
    行者123
    个人简介

    我是一名优秀的程序员,十分优秀!

    滴滴打车优惠券免费领取
    滴滴打车优惠券
    全站热门文章
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com