Spring oauth2 范围与权限(角色) [英] Spring oauth2 scope vs authorities(roles)

问题描述

我正在使用 Spring Security OAuth2，目前实现了 client_credentials 和密码授权类型.我注意到一个客户既有范围又有权限.有人可以解释一下有什么区别吗?更具体地说，我正在使用 JDBCTokenStore 并且数据库模式有一个 oauth_client_details 表.

I'm Using Spring Security OAuth2 and currently implemented the client_credentials and password grant types. I noticed a client has both scope and authorities. Can someone please explain what the difference is? To be more specific, I'm using the JDBCTokenStore and the database schema has a oauth_client_details table.

还有，

在 oauth_client_details 表中，我不确定以下字段是什么用于:

In the oauth_client_details table, I'm not sure what the following fields are used for:

web_server_redirect_url、access_token_validity、refresh_token_validity

web_server_redirect_url, access_token_validity,refresh_token_validity

一些澄清将非常有帮助和赞赏.

Some clarification would be very helpful and appreciated.

推荐答案

我注意到客户既有范围又有权限

I noticed a client has both scope and authorities

客户端只有作用域，但我们可以考虑/使用它作为权限(角色).这是因为 OAuth2 规范没有解释作用域的具体用法.

The client only has scope, but we can consider/use it as an authority(roles). This is because OAuth2 spec doesn't explain specific usage of scope.

考虑到这一点，用户授权 Twitter 将用户的推文发布到 Facebook.在这种情况下，Twitter 将有一个范围write_facebook_status.虽然用户有权更改自己的个人资料，但这并不意味着 Twitter 也可以更改用户的个人资料.换句话说，范围是客户权限/角色，而不是用户的权限/角色.

Consider this, a user authorizes Twitter to post a user's tweet to Facebook. In this case, Twitter will have a scope write_facebook_status. Although user has authority to change it's own profile but this doesn't mean that Twitter can also change user's profile. In other words, scope are client authorities/roles and it's not the User's authorities/roles.

web_server_redirect_url

web_server_redirect_url

授权服务器将使用它在授权成功后将请求重定向到其原始 URL 或回调(授权授予).

This will be used by authorization server to redirect the request to its original URL or callback(authorization grant) after successful authorization.

access_token_validity

access_token_validity

这是以秒为单位的 token_access 到期时间.设置为 -1 或 0 表示无限.如果您将其设置为 60，则 1 分钟后您的 token_access 将无效.您必须通过执行授权过程请求新令牌或使用 refresh_token.

This is the token_access expiration time in seconds. Set to -1 or 0 for infinite. If you set it to 60, then after 1 minute your token_access will be invalid. You have to either request a new token by doing the authorization process or use refresh_token.

refresh_token_validity

refresh_token_validity

这是 refresh_token 的过期时间.

This is refresh_token expiration time.

这篇关于Spring oauth2 范围与权限(角色)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！