为什么要使用客户端凭据流? [英] Why use Client Credentials flow?

问题描述

我一直在考虑使用 oauth2 客户端凭据授权来保护我的 API(所有用户都将成为受信任的第 3 方).我在这里遵循与 paypal 相同的方法:https://developer.paypal.com/docs/integration/direct/paypal-oauth2/

I've been looking at using oauth2 client credentials grant to secure my API (all users will be trusted 3rd parties). I'm following the same approach as paypal here: https://developer.paypal.com/docs/integration/direct/paypal-oauth2/

但是，我看到 HTTP://基本身份验证用于获取不记名令牌.然后使用不记名令牌来保护 API 调用.

However, I see that HTTP:// basic auth is used to acquire a bearer token. Then the bearer token is used to secure the API calls.

我不明白的是，如果您要信任 TLS 和 http: basic auth 来检索承载令牌 - 为什么不直接使用 http: basic auth 进行 API 调用?使用不记名令牌有什么好处?

What I don't understand is, if you're going to trust TLS and http: basic auth to retrieve the bearer token - why not just use http: basic auth for the API calls? What is the benefit of using bearer tokens?

我错过了什么?

推荐答案

根据 OAuth 2.0授权框架:Bearer Token 使用

访问令牌提供了一个抽象，取代了不同的授权结构(例如，用户名和密码，断言)资源服务器理解的单个令牌.这种抽象允许颁发短期有效的访问令牌，以及作为消除资源服务器需要了解广泛的身份验证方案.

The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes.

授权请求并为您提供不记名令牌的服务器可能与实际控制您尝试访问的资源的服务器不同.

The server that is authorizing the request and giving you the Bearer Token, may be different from the server that actually controls the resources that you are trying to access.

根据 RFC，它们显示为两个不同的实体.为您提供 Bearer Token 的是 Authorization Server，而为资源提供服务的是 Resource Server.

As per the RFC, they have been shown as two different entities. The one giving you the Bearer Token is Authorization Server and the one serving the resources is Resource Server.

这篇关于为什么要使用客户端凭据流?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！