为什么 OAuth2 服务器不提供 refresh_token 响应“client_credentials"?授予? [英] Why is a refresh_token not provided by OAuth2 servers responding to a "client_credentials" grant?
问题描述
我正在阅读 OAuth2 规范:
I'm reading the OAuth2 spec:
https://tools.ietf.org/html/rfc6749#section-4.4.2
特别是关于 client_credentials 授权类型的部分.
Specially the section on client_credentials grant type.
如果访问令牌请求有效并获得授权,
授权服务器发出访问令牌,如部分所述5.1.
不应包含刷新令牌.如果请求未通过客户端身份验证或无效,则授权服务器返回错误响应,如第 5.2 节所述.
If the access token request is valid and authorized, the
authorization server issues an access token as described in Section 5.1.
A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response as described in Section 5.2.
成功响应示例:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"example_parameter":"example_value"
}
`
我有点困惑,为什么授权服务器可以为 password 授权类型返回 refresh_tokens 而对于 client_credentials 则不能.
I'm somewhat confused why an authorization server can return refresh_tokens for password grant types but not for client_credentials.
我猜这与可以将 refresh_token 交换为 access_token 的事实有关,并且因为 client_credentials 授权类型不需要用户名和密码,以防您的应用程序密钥和 refresh_token 被泄露撤销变得更加困难?
I'm guessing that it has something to do with the fact that the refresh_token can be exchanged for an access_token and because the client_credentials grant type does not require a username and password, in the event that your application keys and refresh_token is compromised revocation becomes much more difficult?
推荐答案
当使用客户端凭据授权时,客户端应用程序使用其客户端 ID 和客户端密码向授权服务器进行身份验证.如果获得授权,它会取回资源的访问令牌.在这种情况下没有用户交互,因此不需要发出刷新令牌.
When using the client credentials grant, the client application authenticates to the authorization server using its client id and client secret. It gets back an access token for the resource if authorized. There's no user interaction in this scenario, so there's no need to issue a refresh token.
当访问令牌过期时,客户端可以使用自己的凭据来请求新令牌.当客户端想要代表用户访问资源(当时可能没有与客户端交互)时,使用刷新令牌.
When the access token expires, the client can use its own credentials to request a new token. Refresh tokens are used when the client want to access a resource on behalf of the user (which may not be interacting with the client at that time).
在这种情况下,客户代表自己行事.
In this case, the client is acting on its own behalf.
这篇关于为什么 OAuth2 服务器不提供 refresh_token 响应“client_credentials"?授予?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
