客户端可以共享Oauth2访问令牌吗? [英] Can Oauth2 Access Token be shared by client?

问题描述

我是OAUTH的新手，正在尝试了解该规范.因此，根据规范协议流，我了解客户端A可以获得授权代码，然后访问受保护资源的访问令牌.

I am new to OAUTH and trying out understanding the spec. So as per the spec protocol flow, I understand that Client A, can get Authorization code and then Access Token for a protected resource.

现在，如果已获取访问令牌，则链接到的服务"希望访问令牌成为URL查询的一部分，请参阅其界面文档.

Now if Access Token has been obtained, Services e.g Linked in expects the Access token to be part of URL Query, See their interface document.

因此，现在，如果客户端A与客户端B共享了访问令牌，或者例如有人拦截了该请求并获得了访问令牌，那么他也可以开始访问客户端A可以访问的所有详细信息.这种理解正确吗?如果是，那么我们如何保护这种访问令牌共享/滥用?

So now if Client A has shared access token with Client B, or e.g anyone intercepts the request, and gets the access token, then he too can start accessing all details that Client A can access. Is this understanding correct? If yes, then how can we protect such kind of Access token sharing/misuse?

推荐答案

有多种方法可以将访问令牌传递到受保护资源的端点.例如，作为查询参数，例如:

There are multiple ways to pass an access token to endpoints of protected resources. For example, as a query parameter like:

access_token={Your-Access-Token}

另一个示例是承载令牌用法( RFC 6750 )，其中嵌入了访问令牌授权标头，如:

Another example is Bearer Token Usage (RFC 6750) in which an access token is embedded in Authorization header like:

Authorization: Bearer {Your-Access-Token}

每个服务定义了如何传递访问令牌.

How to pass an access token is defined by each service.

访问令牌必须保密.如果客户端B获得了颁发给客户端A的访问令牌，则客户端B的行为就好像是客户端A.是的，存在访问令牌泄漏的风险，因此访问令牌的生存期有限，这是大多数服务具有以下原因的原因:页面以使用户可以撤消访问令牌.

Access tokens must be kept secret. If Client B obtains an access token issued to Client A, Client B can behave as if it were Client A. Yes, there are risks of access token leakage, so access tokens have limited lifetime, and it is a reason that most services have a page to enable users to revoke access tokens.

这篇关于客户端可以共享Oauth2访问令牌吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！