OAuth 2.0授权框架中文版 [9] - 本地应用

9. 本地应用 - Native Applications

本地应用是指在资源所有者所使用的设备上安装并执行的客户端（比如桌面应用、手机应用等），本地应用要求额外的有关安全性、平台适应性以及用户体验方面的考量。

Native applications are clients installed and executed on the device
used by the resource owner (i.e., desktop application, native mobile
application). Native applications require special consideration
related to security, platform capabilities, and overall end-user
experience.

授权端点涉及到客户端和资源所有者的user-agent之间的监护，本地应用客户通过打开外部的user-agent或者应用内置一个user-agent来解决。

比如：

• 外部的user-agent - 本地应用可以通过这些方法来使用重定向URI，以获取授权服务器的响应。如通过在操作系统层面将应用注册为处理器、手动复制粘贴凭证、运行一个本地的web服务器、安装user-agent扩展插件、或者提供一个在客户端掌控下的重定向URI，从而使响应对本机应用程序可用。

• 内置user-agent - 通过与内置浏览器的通讯，本地应用可以获取响应，比如当资源加载时监控状态变化，或者访问user-agent的cookies。

The authorization endpoint requires interaction between the client
and the resource owner’s user-agent. Native applications can invoke
an external user-agent or embed a user-agent within the application.
For example:

o External user-agent - the native application can capture the
response from the authorization server using a redirection URI
with a scheme registered with the operating system to invoke the
client as the handler, manual copy-and-paste of the credentials,
running a local web server, installing a user-agent extension, or
by providing a redirection URI identifying a server-hosted
resource under the client’s control, which in turn makes the
response available to the native application.

o Embedded user-agent - the native application obtains the response
by directly communicating with the embedded user-agent by
monitoring state changes emitted during the resource load, or
accessing the user-agent’s cookies storage.

关于如何选择使用外部或内置的user-agent，开发者可考虑如下要素：

• 外部的user-agent可能会提高完成效率，因为资源所有者可能已经在该user-agent中存在有效的会话，无需再次进行认证，这为最终用户提供了统一的体验和功能。资源所有者还可以依赖user-agent的特性和扩展来帮助进行身份认证（比如密码管理器、双因素设备读取器）。

• 内嵌的user-agent可能会提高可用性，因为它无需在新窗口打开，也不涉及上下文的切换。

• 内嵌的user-agent会导致一些安全问题，因为资源所有者会在一个未识别的窗口中进行认证，该窗口无法提供大部分外部user-agent锁支持的保护策略。内嵌的user-agent可能会教导最终用户习惯性信任一些未识别的认证请求（导致更容易进行钓鱼攻击）。

When choosing between an external or embedded user-agent, developers
should consider the following:

o An external user-agent may improve completion rate, as the
resource owner may already have an active session with the
authorization server, removing the need to re-authenticate. It
provides a familiar end-user experience and functionality. The
resource owner may also rely on user-agent features or extensions
to assist with authentication (e.g., password manager, 2-factor
device reader).

o An embedded user-agent may offer improved usability, as it removes
the need to switch context and open new windows.

o An embedded user-agent poses a security challenge because resource
owners are authenticating in an unidentified window without access
to the visual protections found in most external user-agents. An
embedded user-agent educates end-users to trust unidentified
requests for authentication (making phishing attacks easier to
execute).

当选择使用授权码模式还是隐式授权模式时，需进行如下考量：

• 使用授权码类型的本地应用应该在不使用客户端凭证的前提下这样做，因为本地应用无法保障客户端凭证的安全性。

• 使用隐式授权模式时，不会返回刷新令牌，当访问令牌过期时需要重复发起授权流程。

When choosing between the implicit grant type and the authorization
code grant type, the following should be considered:

o Native applications that use the authorization code grant type
SHOULD do so without using client credentials, due to the native
application’s inability to keep client credentials confidential.

o When using the implicit grant type flow, a refresh token is not
returned, which requires repeating the authorization process once
the access token expires.