为什么 OAuth 提供访问令牌和访问令牌秘密?为什么不只是一个值? [英] Why does OAuth provide both an access token and an access token secret? Why not just a single value?

问题描述

为什么 OAuth 将访问令牌和访问令牌秘密作为两个单独的值包含在内?作为消费者或 OAuth，我所看到的所有建议都表明我应该将令牌和秘密存储在一起，并且基本上将它们视为一个值.

Why does OAuth include both an access token and an access token secret as two separate values? As a consumer or OAuth, all of the recommendations that I have seen indicate that I should store the token and secret together and essentially treat them as one value.

那么为什么规范首先需要两个值?

So why does the specification require two values in the first place?

推荐答案

实际上，访问令牌的秘密永远不会传输给提供者.相反，请求会传输访问令牌，然后使用密钥对请求进行签名.这就是您需要两者的原因:一个用于识别，一个用于保护

Actually, the access token secret is never transmitted to the provider. Instead, requests transmit the access token, and then use the secret to sign the request. That is why you need both: one to identify, and one to secure

这篇关于为什么 OAuth 提供访问令牌和访问令牌秘密?为什么不只是一个值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！