在 OAuth 协议(protocol)中,服务使用者将要求用户在服务提供商域中授权请求 token ,然后将请求 token 交换为来自服务提供商的访问 token 。
我想知道为什么 OAuth 被设计为在协议(protocol)中包含两个 token 。
为什么在此过程中不只使用一个 token ?也就是说,用户将授权 token ,服务使用者将使用 token 从提供者处检索信息。
最佳答案
出于可用性和安全原因。
https://hueniverse.com/beginners-guide-to-oauth-part-iii-security-architecture-e9394f5263b5
... While mostly an artifact of how the OAuth specification evolved, the two-Token design offers some usability and security features which made it worthwhile to stay in the specification. OAuth operates on two channels: a front-channel which is used to engage the User and request authorization, and a back-channel used by the Consumer to directly interact with the Service Provider. By limiting the Access Token to the back-channel, the Token itself remains concealed from the User. This allows the Access Token to carry special meanings and to have a larger size than the front-channel Request Token which is exposed to the User when requesting authorization, and in some cases needs to be manually entered (mobile device or set-top box).
===
请注意,这个问题是一个骗局
Why must we "change temporary credentials for token credentials" in OAuth?
如果初学者指南中的解释不清楚,请阅读 @npdoty's take on it .
关于oauth - 为什么 OAuth 设计为具有请求 token 和访问 token ?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/3584718/