4.3.2 of RFC 6749 (描述了 oauth2 授权框架的“资源所有者密码凭证授予流程”)状态:
If the client type is confidential or the client was issued client
credentials (or assigned other authentication requirements), the
client MUST authenticate with the authorization server as described
in Section 3.2.1.
似乎找不到关于“ secret 客户”是什么的引用。由此看来,允许非 secret 客户参与“资源所有者密码凭据授予流程”(4.3)。 IE。不会(也不能)向授权服务器验证自己的客户端。
它是否正确?
最佳答案
查看 client types部分,其中“ secret 客户”的定义如下:
Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.
Cloudfoundry 的命令行cf application是使用密码授权的“公共(public)”(即非 secret )客户端的示例。
关于oauth - oAuth2 资源所有者密码凭据授予流程中的客户端凭据是可选的吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/19567519/