了解OAuth 2.0中客户端ID和客户端密码的需求 [英] Understanding the need of client id, client secret in oauth 2.0
问题描述
我有一个网站,要求用户通过提供其电子邮件和密码以获取访问令牌来登录,其中访问令牌用于访问api。
I have a web site that requires user to log in by providing their email and password to gain access token, where the access token token is used to access api.
然后,用户可以使用访问令牌提供的范围来获得对读/写的访问权限。
User can then gain access to read/write with the scope provided by the access token.
因此,我在这里想了解的是客户端id扮演什么角色和客户机密在这种情况下发挥作用,实施客户ID和客户机密可以带来什么好处?因为我真的没有实现客户端ID和客户端机密的需要,因为用户可能只是使用访问令牌来获取访问权限。
So, what I would like to understand here is that what roles does client id and client secret play in such a case, and what benefits can implement client id and client secret provide? Because i really do not see the need of implementing client id and client secret since user may just use access token to gain access right.
推荐答案
如果没有它们就可以实现想要的功能,则不必颁发客户端ID。例如,如果您具有直接处理电子邮件(用户ID)和密码的特权,则不需要客户端ID。
You don't have to issue client IDs if you can achieve what you want to do without them. For example, if you have privileges to handle email (user ID) and password directly, you don't need a client ID.
通常,仅需要客户端ID当您想允许(第三方)客户端应用程序使用受限特权访问(您的服务的)用户数据时。在这种情况下,每个客户端应用程序都必须由用户授予授权。结果,您的系统将需要客户端ID才能知道用户已授予其权限的客户端应用程序。
In general, client IDs are needed only when you want to allow (third-party) client applications to access (your service's) users' data with restricted privileges. In this case, each client application must be given authorization by a user. As a result, your system will need client IDs to know which client application the user has granted permissions to.
这篇关于了解OAuth 2.0中客户端ID和客户端密码的需求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
