在Spring OAuth中/oauth/authorize和/oauth/token如何交互? [英] How do /oauth/authorize and /oauth/token interact in Spring OAuth?

问题描述

我正在对Spring OAuth进行深入研究，发现一些矛盾的信息.有人可以澄清一下吗?

I am doing an in-depth study of Spring OAuth, and I found some conflicting information. Can someone please clarify?

具体来说，本教程指出，/oauth/token端点处理用户名，授予客户端应用刷新令牌之前输入密码.相比之下， Spring OAuth开发人员指南提到了和/oauth/token端点，但尚未具体说明它们的工作方式.

Specifically, this tutorial states that the /oauth/token endpoint handles the username and password before granting a refresh token to the client app. By contrast, the Spring OAuth Developer Guide mentions the /oauth/authorize and /oauth/token endpoints, but yet does not get specific about how they work.

/oauth/authorize是否会执行username/password/nOtherFactors的100％检查，然后发信号通知/oauth/token端点将刷新令牌发送到客户端，以便客户端随后将刷新令牌发送到/oauth/token端点?

Does the /oauth/authorize do 100% of the username/password/nOtherFactors check and then signal the /oauth/token endpoint to send a refresh token to the client, so that the client then sends the refresh token to the /oauth/token endpoint?

还是全部由/oauth/token端点处理?

Or is all of it handled by the /oauth/token endpoint?

对于不同的授予类型，/oauth/authorize和/oauth/token之间的关系是否不同?怎么样?

Is the relationship between /oauth/authorize and /oauth/token different for different grant types? How?

推荐答案

根据OAuth 2.0规范，授权和令牌终结点具有不同的用途.

Per the OAuth 2.0 specification the authorize and token endpoints have different purposes.

授权端点是资源所有者(用户)登录并向客户端授予授权的地方(例如:在浏览器中运行的Web应用程序或在移动设备上运行的应用程序).通常在将资源所有者的用户代理(例如浏览器)重定向到身份服务器(授权服务器)进行身份验证的情况下使用.资源所有者的用户代理将可以直接访问访问令牌.

Authorization endpoint is where the resource owner (user) logs in and grants authorization to the client (ex: web application running in the browser or an app running on a mobile device). This is typically used in scenarios where the resource owner's user agent (ex: browser) is redirected to the identity server (authorization server) for authentication. The resource owner's user agent will have direct access to the access token.

令牌端点是客户端(例如:服务器端API或移动应用程序)调用以将授权码，客户端ID和客户端密钥交换为访问令牌的位置.在这种情况下，仅向用户代理提供一个授权码，而不能直接访问访问令牌.客户端是受信任的一方，可以从授权服务器访问客户端ID和客户端机密(这就是为什么我提到服务器端API作为客户端).

Token endpoint is where the client (ex: Server side API or mobile app) calls to exchange the Authorization Code, Client Id and Client Secret for an access token. In this scenario, the user agent is provided with an Authorization code only, no direct access to the access token. The client is a trusted party with access to client Id and Client secret from the authorization server (That is why I mentioned Server side API as the client).

请阅读这篇文章，其中提供了更好的解释.

Please read this article that has even better explanation.

这篇关于在Spring OAuth中/oauth/authorize和/oauth/token如何交互?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！