资源所有者密码凭据授予-公共客户端 [英] Resource Owner Password Credentials Grant - Public Client

问题描述

我正在尝试使用Python oauthlib为网站实现Oauth2.我决定我要使用授予类型"ResourceOwnerPasswordCredentialsGrant"，这是因为该网站和API是我自己的，并且不会向第三方开放.

I am trying to implement Oauth2 for a website using Python oauthlib. I have decided that I would like to use the grant type 'ResourceOwnerPasswordCredentialsGrant', this is because the website and the API are my own and will not be open to third parties.

在"resource_owner_password_credentials.py"中，为什么"client_authentication_required"硬编码为返回"True"?

In 'resource_owner_password_credentials.py' why is 'client_authentication_required' hardcoded to return 'True'?

我需要验证我的客户端(网站)吗?据我了解，这将是公共"客户，而不是机密客户.

Do I need to authenticate my client (website)? From my understanding this would be a 'public' and not a confidential client.

推荐答案

像oauthlib的作者一样，以这种方式解释了规范.关于资源所有者密码凭证"授予类型的部分( http://tools.ietf.org/html/rfc6749#section-4.3 )说:

Looks like the author of oauthlib interpreted the spec this way. The section on the Resource Owner Password Credentials grant type (http://tools.ietf.org/html/rfc6749#section-4.3) says:

(B)客户端从授权中请求访问令牌 服务器的令牌端点(包括收到的凭据) 来自资源所有者.提出要求时，客户 向授权服务器进行身份验证.

(B) The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.

请注意，它建议客户端进行身份验证，但在最后一句中它不使用MUST关键字.紧靠其下的是略微复杂的文本( http://tools.ietf.org/html/rfc6749#section-4.3.2 )说:

Note that it suggests that the client authenticates but it does not use the MUST keyword in that last sentence. Just below that there's slightly more elaborate text (http://tools.ietf.org/html/rfc6749#section-4.3.2) saying:

如果客户端类型为机密或已被授予客户端客户端
凭据(或分配的其他身份验证要求)，
客户端必须按所述向授权服务器进行身份验证
在3.2.1节中.

If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.

请注意如果客户是机密的"，这意味着公共客户也可以使用此授予类型，这很有意义.

Note the "If the client is confidential", this time implying that public clients may use this grant type too, which makes sense.

因此，我认为这是由于规范中用词过于严格所致.

So I believe this is due to a too strict interpretation of the wording in the specs.

这篇关于资源所有者密码凭据授予-公共客户端的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！