OAuth 2.0中“资源所有者密码凭证授予类型"的目的是什么? [英] What is the purpose of Resource Owner Password Credential Grant Type in OAuth 2.0?

问题描述

基于对我的上一个问题的答案

好吧，OAuth 2.0是一种授权协议，但是当您使用ROPC(资源所有者密码凭据)授权类型时，按照我的理解，这意味着您要进行身份验证和授权，不是吗?

Ok, OAuth 2.0 is an authorization protocol but when you use ROPC (Resource Owner Password Credential) Grant Type, the way I understand it, you mean to authenticate and authorize isn't it?

OpenID是否仍适用于ROPC?仍与OAuth 2.0 ROPC和OpenID混淆

Is OpenID still applicable in ROPC? still a little bit confuse with OAuth 2.0 ROPC and OpenID

推荐答案

资源所有者密码凭据授予类型可以对用户进行身份验证，但它是非典型的OAuth 2.0授予类型，仅用于迁移目的，如规范所述:

The Resource Owner Password Credentials grant type does authenticate users but is a non-typical OAuth 2.0 grant type that is only meant for migration purposes, as the spec says:

资源所有者密码凭据授予类型通常用于
遗留或迁移原因.它降低了存储的总体风险
客户端的用户名和密码，但不能消除需求 向客户端公开高特权凭证.

The resource owner password credentials grant type is often used for
legacy or migration reasons. It reduces the overall risk of storing
usernames and passwords by the client but does not eliminate the need to expose highly privileged credentials to the client.

此赠款类型比其他赠款类型具有更高的风险 因为它维护此协议寻求的密码反模式 避免.

This grant type carries a higher risk than other grant types because it maintains the password anti-pattern this protocol seeks to avoid.

OpenID Connect并没有禁止资源所有者密码证书授予(即使OpenID Connect规范没有在OAuth 2.0之外明确定义它)，但违反了OpenID Connect应该是的联合SSO协议的主要目的.这是因为它将RP锁定在单一身份验证方法中，从而将用户凭据公开给RP.你里程wrt.跨提供商的支持可能会有所不同.

The Resource Owner Password Credentials grant is not prohibited with OpenID Connect (even though the OpenID Connect spec does not clearly define it beyond OAuth 2.0) but defeats the primary purpose of a federated SSO protocol that OpenID Connect is supposed to be. That is because it locks RPs in to a single authentication method whereby the user credentials are disclosed to the RP. You mileage wrt. to support across Providers may vary.

另请参阅: OpenID Connect是否支持资源授予所有者密码凭据?

这篇关于OAuth 2.0中“资源所有者密码凭证授予类型"的目的是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！