官方应用适合OAuth2模式吗?

哎哎哎哎啊 发布于 2015/06/25 15:10
阅读 743
收藏 0

最近在看OAuth2,有个疑问,官方应用适合OAuth2这种模式吗?官方应用应该是所有的API都能访问,像淘宝那样的客户端用户会登录,这个和OAuth2中提到的Resource Owner Password Credentials Grant有什么不同呢?

加载中
0
battyman
battyman

使用OAuth2其实主要是方便第三方接入,从而快速发展用户资源,就是所谓的Link(合作账号登陆)。当然OAuth2提供了四种认证方式,每一种都适用不同的场景。至于官方应用,其实也可以看成是第三方应用,授权方式可选第三种用户名密码凭证(Resource Owner Password Credentials Grant),此类凭证是要求我们足够信任此类应用,才会把用户名密码开放给它以用来登录;如果是一个我们不太信任的应用,就会采用第一种授权码授权,这样会引导打开一个你实现的OAuth的登录界面,例如合作账号登录。

附上官方Doc:

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

This grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form). It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token

授权步骤:

Resource Owner Password Credentials Flow

  1. The resource owner provides the client with its username and

    password.

  2. The client requests an access token from the authorization

    server’s token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.

  3. The authorization server authenticates the client and validates

    the resource owner credentials, and if valid, issues an access token.

返回顶部
顶部