Oauth2.0中关键的术语(key terminology)
摘自《OAuth2.0 Identity and Access Management Patterns》
角色(Roles)
资源拥有者(Resource Owner)
资源拥有者是有能力对于一个受保护资源进行授权的实体(A resource owner is an entity who is capable of granting access to a protected resource)
资源服务器(Resource server)
资源服务器提供了受保护的资源,客户端可以通过已经授权的请求来访问(A resource server is the one who serves the protected resources, which are to be accessed by making authorized requests from a client application)
授权服务器(Authorization server)
要求资源拥有者决策客户端是否有权访问资源 (it asks the user (resource owner) for confirmation that the client should be authorized to have access)
客户端(Client)
客户端是一个应用,代表了资源拥有者,向资源服务器请求受保护的资源(A client is an application that makes requests to protected resources on the resource server, on behalf of the resource owner (the user))。客户端应用包括web应用,桌面应用和手机应用等等
授权流程(Authorization flow)
OAuth 2.0 grant flows
Oauth2.0和Oauth1.0最大的区别就是定义了各种的授权流程(grant flow):
- Authorization code grant flow(授权码): 普遍用于web应用,比较受欢迎
- Implicit grant flow: 一般用于不能保持密码安全的客户端应用(client application),也常用于一些只要求对数据有只读访问(read-only access)的应用
- Resource owner password credentials grant flow(password模式): 仅有的一个授权方式,在获取access_token时需要用到资源拥有者(resource owner)的用户名(username)和密码(password),也常用于迁移到Oauth2.0的一种解决方案
- Client credentials grant flow(client credentials模式): 一般用于想要请求访问一些服务,代表他们自己而不是资源的拥有者的客户端应用,在访问一些无用户的API服务是非常帮助的
Tokens
在Oauth2.0中有两种token: access_token
和refresh_token
Access token
客户端为了能够请求访问到受保护的资源,首先第一步就是获取access token
,换句话说,客户端应用首先要得到用户授权。一般的access token
:
{
"access_token":"exampleAccessTokenValue",
"expires_in":3600,
"scope":"exampleScopeValue",
"state":"exampleStateValue",
"refresh_token":"exampleRefreshTokenValue"
}
Refresh token
access token
会过期,一般通过refresh token
来获取有效的access token
Clients and endpoints
Client types
- Confidential client: These type of client applications are capable of keeping the confidentiality of the credentials secure, for example, applications running on servers in secure/restricted environments
- Public client: These type of client applications are not capable of keeping the credentials secure, for example, pure JavaScript applications that run directly in the browser or mobile applications where the application logic is in a WebView
clients一般可以分成三类:
- Web application: 这是一个confidential client应用
- User-agent-based application: 这是一个public application
- Native application: 这是一个public client
Endpoints
endpoint是一个string类型的http url,它定义了一个地址,可以被一个实体用来请求(An endpoint is an HTTP URL string that defines the address which should be used in a certain request by an entity capable of making requests)。
在Oauth2中有三个重要的endpoints:
其中两个是server endpoint
:
- Authorization endpoint: 客户端使用这个endpoint从资源拥有者端获取授权,如果成功,客户端得到授权。当然也有例外,对于
implicit grant flow
,客户端获取access_token
也是从这个endpoint - Token endpoint: 客户端使用这个endpoint是为提供授权和在返回的时候获取
access_token
其中一个是client endpoint
:
- Redirection (callback) endpoint: 授权服务器(authorization server)使用这个endpoint是为了通过授权密码(authorization credentials)将数据返回给客户端
服务器端的endpoint通常在客户端应用中的代码中指定,而client的endpoint通常在授权服务器中注册client的时候指定(The server endpoints are usually specified in the code of the client application, and the client endpoint is specified when registering the client with the authorization server.)
Access scope
客户端在向授权或者是获取token 的endpoint的时候一个可选的参数(Scope is a parameter that can be used when a client makes a request to the authorization or token endpoints.)