Spring oauth2 范围与权限(角色) [英] Spring oauth2 scope vs authorities(roles)
问题描述
我正在使用 Spring Security OAuth2,目前实现了 client_credentials 和密码授权类型.我注意到一个客户既有范围又有权限.有人可以解释一下有什么区别吗?更具体地说,我正在使用 JDBCTokenStore 并且数据库模式有一个 oauth_client_details 表.
I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.
还有,
在 oauth_client_details 表中,我不确定以下字段是什么用于:
In the oauth_client_details table, I'm not sure what the following fields are used for:
web_server_redirect_url、access_token_validity、refresh_token_validity
web_server_redirect_url, access_token_validity,refresh_token_validity
一些澄清将非常有帮助和赞赏.
Some clarification would be very helpful and appreciated.
推荐答案
我注意到客户既有范围又有权限
I noticed a client has both scope and authorities
客户端只有作用域,但我们可以考虑/使用它作为权限(角色).这是因为 OAuth2 规范没有解释作用域的具体用法.
The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.
考虑到这一点,用户授权 Twitter 将用户的推文发布到 Facebook.在这种情况下,Twitter 将有一个范围write_facebook_status.虽然用户有权更改自己的个人资料,但这并不意味着 Twitter 也可以更改用户的个人资料.换句话说,范围是客户权限/角色,而不是用户的权限/角色.
Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.
web_server_redirect_url
web_server_redirect_url
授权服务器将使用它在授权成功后将请求重定向到其原始 URL 或回调(授权授予).
This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.
access_token_validity
access_token_validity
这是以秒为单位的 token_access 到期时间.设置为 -1 或 0 表示无限.如果您将其设置为 60,则 1 分钟后您的 token_access 将无效.您必须通过执行授权过程请求新令牌或使用 refresh_token.
This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.
refresh_token_validity
refresh_token_validity
这是 refresh_token 的过期时间.
This is refresh_token expiration time.
这篇关于Spring oauth2 范围与权限(角色)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!