OAuth2:查询字符串与片段 [英] OAuth2: query string vs. fragment

问题描述

仅注意到在OAuth2中，当请求的授予类型为:代码"时，回调将其包含在查询字符串参数中(在?"之后).但是，当授予是令牌"时，它将作为片段(在#"之后)传递.

Just noticed that in OAuth2 when the requested grant type is: "code" the callback contains it in the query string parameters (after '?'). However, when the grant is "token" it is passed as a fragment (after '#').

这似乎是规范的一部分( http ://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2 )

This looks to be part of a spec (http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2)

这种决定背后的原理是什么?

What could be a rationale behind such decision?

谢谢， 皮奥特

推荐答案

当网站将浏览器重定向到带有查询参数的URL时，查询字符串也是浏览器现在发送给主机的请求的一部分.片段只能通过您的Web浏览器在本地进行评估，而不会包含在对主机的请求中.

When your browser gets redirected by a website to a URL with a query parameter, the query string is also part of the request that your browser now sends to the host. Fragments are only evaluated locally by your web browser and not included into the request to the host.

如果使用授权代码授予(通常是一个Web应用程序)直接与提供者进行对话，则将数据发送到主机正是您所需要的:

In case of the Authorization Code Grant, where you typically have a web application, that directly talks to a provider, sending the data to the host is exactly what you need:

• 该Web应用程序将您的浏览器重定向到您登录的提供商.
• 提供者现在会告诉您的浏览器Web应用程序的回调URL，并附加一个授权代码.该代码必须发送到Web应用程序，因此它作为查询参数包含在对回调URL的请求中.
• 现在，Web应用程序本身会在后台与提供程序进行对话，并使用授权代码进行验证，以确认确实允许他向提供程序查询访问令牌.

• The web application redirects your browser to the provider where you log in.
• The provider now tells your browser a callback URL of the web application and appends an authorization code. This code has to be sent to the web application, so it is included as a query parameter into the request to the callback URL.
• The web application now itself talks to the provider in the background and verifies with the authorization code that he is indeed allowed to query the provider for an access token.

对于隐式授予，您通常会在浏览器中直接运行一些Javascript应用程序.无需将任何授权代码传递给主机，并且在大多数情况下，也无需将访问令牌发送给主机，因为浏览器中的JS可以直接与提供者交谈.这样您可以例如在服务器上创建一个网站，该网站使用从另一个提供商处获得的信息，并征得用户的同意，而服务器从不可以访问该用户的任何机密数据. (如果是受信任的网站，则不会将访问令牌发送到服务器.)

In case of the Implicit Grant, you typically have some Javascript application directly running in your browser. There's no need to pass any authorization code to the host and in most cases there's also no need to send the access token to the host, as the JS in the browser can directly talk to the provider. This way you could e.g. create a website on a server that uses information queried from another provider with consent from the user where the server never gets access to any confidential data of the user. (In case of a trusted website, that doesn't send the access token to the server.)

这篇关于OAuth2:查询字符串与片段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！