是否有可能结合"获得令牌QUOT;和"获取用户信息和QUOT;步入一个? [英] Is it possible to combine the "get token" and "get userinfo" step into one?
问题描述
在授权code流量,客户端通常可以获得的 ID令牌的和的访问令牌的一步到位,然后传递的访问令牌到用户信息的端点以获得的实际数据中的第二步骤。
In Authorization Code Flow, a client normally gets id token and access token in one step, and then passes the access token to the userinfo endpoint to get the actual data in a second step.
在OpenID的连接而言,是有可能这些步骤合并成一个,所以从客户端开销并无向OpenID提供足够?
In terms of the OpenID Connect, is it possible to combine those steps into one, so one roundtrip from client to OpenID provider suffices?
N.B。访问令牌的实际含量高达一个OpenID提供商的实现者,所以理论上我可以把在那里的数据 - 但是这似乎并不像好的做法,或者是
N.B. The actual content of the Access Token is up to the implementor of an OpenID provider, so in theory I could put the data in there - but that does not seem like good practice, or is it?
推荐答案
据的OpenID连接的规范:
According to OpenId Connect spec:
ID标记可能包含其他诉讼请求。
ID Tokens MAY contain other Claims.
和规范还定义了一组标准的声称
And the spec also defines a set of standard claims
如果 ID令牌的包含用户信息,声称你愿意,你可以从这些用户信息声称的 ID令牌的直接。
If id token contains user information claims that you want, you can get these user information claims from the id token directly.
这篇关于是否有可能结合"获得令牌QUOT;和"获取用户信息和QUOT;步入一个?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!