OAuth 2.0授权框架中文版 [4.4] - 客户端凭证模式
4.4 客户端凭证模式 - Client Credentials Grant
客户端可以仅通过客户端凭证(或其它受支持的认证方式)来请求访问令牌,用于访问其可控范围内的受保护资源,此外,也可以访问跟其他的与授权服务器提前协商好的资源所有者的受保护资源(超出本规范的讨论范围)。
The client can request an access token using only its client
credentials (or other supported means of authentication) when the
client is requesting access to the protected resources under its
control, or those of another resource owner that have been previously
arranged with the authorization server (the method of which is beyond
the scope of this specification).
只有非公开客户端,才能使用客户端凭证授权方式。
The client credentials grant type MUST only be used by confidential
clients.
图6包含如下步骤:
(A) 客户端向授权服务器发起认证并请求获取访问令牌。
(B) 授权服务器验证客户端身份,如果通过,则签发访问令牌。
The flow illustrated in Figure 6 includes the following steps:
(A) The client authenticates with the authorization server and
requests an access token from the token endpoint.(B) The authorization server authenticates the client, and if valid,
issues an access token.
4.4.1 授权请求和响应 - Autorization Request and Response
使用客户端凭证模式时,不需要发起授权请求。
Since the client authentication is used as the authorization grant,
no additional authorization request is needed.
4.4.2 访问令牌请求
客户端需要如附录B中的描述,将如下参数按照"application/x-www-form-urlencoded"进行拼装,并以UTF-8进行编码,放置在HTTP的请求体中,来访问令牌端点:
grant_type
必须。值为"client_credentials"。
scope
可选。如章节3.3所述的请求范围。
The client makes a request to the token endpoint by adding the
following parameters using the “application/x-www-form-urlencoded”
format per Appendix B with a character encoding of UTF-8 in the HTTP
request entity-body:grant_type
REQUIRED. Value MUST be set to “client_credentials”.scope
OPTIONAL. The scope of the access request as described by
Section 3.3.
客户端需要如章节3.2.1所述进行客户端认证。
The client MUST authenticate with the authorization server as
described in Section 3.2.1.
比如,客户端通过TLS发起如下的HTTP请求:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
For example, the client makes the following HTTP request using
transport-layer security (with extra line breaks for display purposes
only):POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
授权服务器必须对客户端进行认证。
The authorization server MUST authenticate the client.
4.4.3 访问令牌响应
如果访问令牌请求有效且授权通过,则授权服务器按照5.1所述签发访问令牌(不得签发刷新令牌)。如果请求无效或授权失败,则如5.2所述返回错误响应。
If the access token request is valid and authorized, the
authorization server issues an access token as described in
Section 5.1. A refresh token SHOULD NOT be included. If the request
failed client authentication or is invalid, the authorization server
returns an error response as described in Section 5.2.