我尝试为 Web 服务实现 OAuth 2 提供程序,然后在其上构建 native 应用程序。我还想为第三方开发者提供 API 访问权限。
我已经阅读了 OAuth 2 规范,但无法选择正确的流程。我还想验证 CLI 和 GUI 应用程序。
首先,我们有两种客户类型 - 公开客户和 secret 客户。当然,GUI 和 CLI 应用程序都将是公开的。但这两种类型有什么区别呢?在这种情况下,我需要 client_secret 如果我可以通过更改客户端类型来获取访问 token 而无需它?
我尝试查看 GitHub 等流行服务的一些 API 实现。但他们使用 HTTP 基本身份验证。不确定这是一个好主意。
有什么特别的区别吗?其中一个是否比另一个提高了安全性?
最佳答案
关于公开客户端和保密客户端的区别,参见http://tutorials.jenkov.com/oauth2/client-types.html其中说:
A confidential client is an application that is capable of keeping a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server, to avoid fraud. An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password.
A public client is an application that is not capable of keeping a client password confidential. For instance, a mobile phone application or a desktop application that has the client password embedded inside it. Such an application could get cracked, and this could reveal the password. The same is true for a JavaScript application running in the users browser. The user could use a JavaScript debugger to look into the application, and see the client password.
secret 客户端比公共(public)客户端更安全,但由于 secret 客户端运行环境(例如 native 应用程序、浏览器内客户端)的限制,您可能并不总是能够使用 secret 客户端。
关于适用于 native 应用程序的 OAuth 2 - 公共(public)和 secret 客户端类型之间有什么区别?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/30607025/