为什么我们需要客户端 ID 和客户端密码，而不仅仅是 clientSecret? [英] Why do we need both client Id and client secret instead of just clientSecret?

问题描述

我一直在努力了解 OAuth2 的工作原理.起初我认为多花一个步骤来交换访问令牌的身份验证代码 + 客户端机密是多余的 - 为什么不让服务器直接返回访问令牌.为此，我找到了这个解释.

I have been trying to understand how OAuth2 works. At first I thought it was redundant to spend one extra step exchanging auth code + client secret for access token - why not have server return access token directly. For that I found this explanation.

那么让我困惑的是，为什么它需要一个 clientId 和一个客户端机密，而不仅仅是一个机密?一个既可以宣告又可以证明自己的秘密.然后，当客户端应用程序将用户发送到服务器以授权其访问服务器资源时，客户端应用程序可以简单地将其传递给服务器.

Then what confuses me is, why does it need a clientId and a client secret, instead of just a secret? A secret which can both declare and prove itself. The client app then can simply pass it to server when it sends user there to authorize itself for accessing server resource.

谢谢！

推荐答案

想象一下客户端用秘密签署请求并只发送签名.服务器如何知道使用哪个秘密?大概服务器支持多个消费者.

Imagine the client signs the request with the secret and sends just the signature. How does the server know which secret to use? Presumably the server supports multiple consumers.

这篇关于为什么我们需要客户端 ID 和客户端密码，而不仅仅是 clientSecret?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！