OpenID Connect JWT token 包含 id_token
和 access_token
(如 "access_token": "SlAV32hkKG"
)。 access_token
有什么用?
回答示例
只是添加一个示例来补充从 this linked article 中获得的答案
用户信息端点请求GET /userinfo HTTP/1.1
Host: openid.c2id.com
Authorization: Bearer SlAV32hkKG
用户信息端点响应
HTTP/1.1 200 OK
Content-Type: application/json
{
"sub" : "alice",
"email" : "alice@wonderland.net",
"email_verified" : true,
"name" : "Alice Adams",
"picture" : "https://c2id.com/users/alice.jpg"
}
最佳答案
您问题的答案在 specification 的第 5.3 和 16.4 节中。 .访问 token 用于访问作为 protected 资源的 userinfo 端点。
16.4. Access Token Disclosure
Access Tokens are credentials used to access Protected Resources, as defined in Section 1.4 of OAuth 2.0 [RFC6749]. Access Tokens represent an End-User's authorization and MUST NOT be exposed to unauthorized parties.
[...]
5.3. UserInfo Endpoint
The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. These Claims are normally represented by a JSON object that contains a collection of name and value pairs for the Claims.
关于http - OpenID Connect 访问 token 有什么用?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47107299/