为什么要使用客户凭证流? [英] Why use Client Credentials flow?
问题描述
我一直在考虑使用oauth2客户端凭据授予来保护我的API(所有用户将成为可信任的第三方).我在这里采用与贝宝相同的方法: https://developer.paypal .com/docs/integration/direct/paypal-oauth2/
I've been looking at using oauth2 client credentials grant to secure my API (all users will be trusted 3rd parties). I'm following the same approach as paypal here: https://developer.paypal.com/docs/integration/direct/paypal-oauth2/
但是,我看到HTTP://basic auth用于获取承载令牌.然后,使用承载令牌来保护API调用的安全.
However, I see that HTTP:// basic auth is used to acquire a bearer token. Then the bearer token is used to secure the API calls.
我不了解的是,如果您要信任TLS和http:基本身份验证来检索承载令牌-为什么不只对API调用使用http:基本身份验证呢?使用不记名令牌有什么好处?
What I don't understand is, if you're going to trust TLS and http: basic auth to retrieve the bearer token - why not just use http: basic auth for the API calls? What is the benefit of using bearer tokens?
我想念什么?
推荐答案
访问令牌提供了一个抽象,替换了不同的 的授权结构(例如,用户名和密码,断言) 资源服务器可以理解的单个令牌.这种抽象 还可以发出在短时间内有效的访问令牌 消除了资源服务器对广泛知识的了解 身份验证方案.
The access token provides an abstraction, replacing different authorization constructs (e.g., username and password, assertion) for a single token understood by the resource server. This abstraction enables issuing access tokens valid for a short time period, as well as removing the resource server's need to understand a wide range of authentication schemes.
授权请求并为您提供Bearer令牌的服务器可能与实际控制您尝试访问的资源的服务器不同.
The server that is authorizing the request and giving you the Bearer Token, may be different from the server that actually controls the resources that you are trying to access.
根据RFC,它们已显示为两个不同的实体.给您Bearer令牌的一个是 Authorization Server ,而为资源提供服务的一个是 Resource Server .
As per the RFC, they have been shown as two different entities. The one giving you the Bearer Token is Authorization Server and the one serving the resources is Resource Server.
这篇关于为什么要使用客户凭证流?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
