AccessToken-->Password Grant

最新推荐文章于 2024-03-26 18:19:31 发布
最新推荐文章于 2024-03-26 18:19:31 发布
阅读量147 收藏
点赞数
原文链接:http://www.cnblogs.com/chucklu/p/10346451.html
版权

https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.

A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.

 

Request Parameters

The access token request will contain the following parameters.

  • grant_type (required) – The grant_type parameter must be set to “password”.
  • username (required) – The user’s username.
  • password (required) – The user’s password.
  • scope (optional) – The scope requested by the application.
  • Client Authentication (required if the client was issued a secret)

If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.

 

Example

The following is an example password grant the service would receive.

POST /oauth/token HTTP/1.1
Host: authorization-server.com
 
grant_type=password
&username=user@example.com
&password=1234luggage
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

See Access Token Response for details on the parameters to return when generating an access token or responding to errors.

 

 

GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 77e99b5f-d31e-4379-a64c-ddc511d42781
grant_type=passwordusername=adminpassword=passwordundefined=undefined


  https://stackoverflow.com/questions/32616069/customizing-allowed-grant-types-with-oauthauthorizationserver

To allow only the grant types you want it's enough to inherit from OAuthAuthorizationServerProvider. Then you need to override two methods:

  • ValidateClientAuthentication - to validate that the origin of the request is a registered client_id
  • GrantResourceOwnerCredentials - to validate provided username and password when the grant_type is set to password

For more information here is the documentation of GrantResourceOwnerCredentials method:

Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token". If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. The default behavior is to reject this grant type.

 

需要注意的是:

 

client_credentials

Called when a request to the Token endpoint arrives with a "grant_type" of "password".

This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token".

If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate.

To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token.

The default behavior is to reject this grant type. See also http://tools.ietf.org/html/rfc6749\#section-4.3.

 

经过测试,发现下面这个才是有效的

GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: ce49a101-df6e-4b7c-9217-e112b387b784
grant_type=client_credentialsusername=adminpassword=password

 换了另外一种

GET http://localhost/Chuck_WebApi/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 3b870eb3-1c29-4b5e-9dcd-297e3f582c27
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: localhost
accept-encoding: gzip, deflate
content-length: 75
Connection: keep-alive

grant_type=password&username=admin&password=password&client_id=testClientId

 

转载于:https://www.cnblogs.com/chucklu/p/10346451.html

weixin_30483495
关注
oauth最后的确认按钮_做前后端分离项目前,劝你先了解 OAuth2.0 的四种授权方式...
weixin_34804926的博客
01-14 635
一、OAuth2.0 为何物OAuth 简单理解就是一种授权机制,它是在客户端和资源所有者之间的授权层,用来分离两种不同的角色。在资源所有者同意并向客户端颁发令牌后,客户端携带令牌可以访问资源所有者的资源。OAuth2.0 是OAuth 协议的一个版本,有2.0版本那就有1.0版本,有意思的是OAuth2.0 却不向下兼容OAuth1.0 ,相当于废弃了1.0版本。举个小栗子解释一下什么是 OAu...
NCC2111获取accesstoken--python版
最新发布
wuhaiwenpps的博客
08-19 1128
NCCloud2111获取accesstoken--Python版
Laravel 5.1 + OAuth2 PasswordGrant(密码授权模式)
weixin_33751566的博客
10-22 203
2019独角兽企业重金招聘Python工程师标准>>> ...
CAS OAuth2 源码分析
架构师的成长之路的博客
08-30 1180
转载于:https://www.jianshu.com/p/f0c11eb24f55 2020博客地址汇总 2019年博客汇总 在工程中引入以下依赖,方便看代码: <!-- 开启oauth支持 --> <dependency> <groupId>org.apereo.cas</groupId> <arti
Swagger接入OAuth2认证
qq_42383970的博客
11-22 3503
1.pom依赖 在所要使用Swagger的项目引用Swagger依赖 <dependencies> <dependency> <groupId>io.springfox</groupId> <artifactId>springfox-swagger2</artifactId> <version>2.9.2</version> </depe
Swagger2+oauth2配置
csdn_xsong的博客
01-24 960
导入依赖 <!-- Swagger --> <dependency> <groupId>io.springfox</groupId> <artifactId>springfox-boot-starter</artifactId> <version>3.0.0</version> </d.
Laravel开发-laravel-passport-grant-facebook
08-27
return response()->json(['access_token' => $token->accessToken]); } } ``` 记得在 `routes/web.php` 或 `routes/api.php` 中定义相关路由: ```php Route::get('/login/facebook', 'FacebookController@...
Laravel API Passport认证的安装与配置和获取token及刷新accesstoken
07-22
Route::middleware('auth:api')->prefix('/user')->name('user.')->group(function () { Route::any('/info', 'UserController@info')->name('info'); // ... }); ``` 至此,Laravel API Passport 认证的安装、...
AccessToken.rar
06-19
OAuth 2.0协议是AccessToken的主要应用场景,它定义了四种授权流程:授权码(Authorization Code)流程、简化授权(Implicit Grant)流程、密码凭证(Resource Owner Password Credentials)流程和客户端凭证...
DataX-Web源码Idea编译部署手册源码idea编译部署手册
奇妙的Bug之旅
03-26 1440
分别在datax-admin(datax-web\datax-admin\pom.xml)和datax-executor(datax-web\datax-executor\pom.xml)下面的pom.xml文件中添加文件中添加如下内容。3、将datax-admin下的target/classes/mybatis-mapper下的所有xml文件拷贝进datax-admin-2.1.2.jar下的BOOT-INF\classes\mybatis-mapper下。
SpringBoot攻略十三、spring security oauth2服务端(password密码模式)
java爱分享
08-01 2148
上一篇:【SpringBoot攻略十二、spring security集成】 1、pom.xml添加依赖 <!-- spring-security-oauth2 --> <dependency> <groupId>org.springframework.security.oauth</groupId> <ar...
IDE 中登录 Github 报错 Invalid authentication data. 404 Not Found-Not Found.
tz_zs的博客
08-24 3187
____tz_zs 1、进入Github的token管理页面:https://github.com/settings/tokens 如下图可见,我之前在IDE中使用账号密码登录的Github时,插件帮我自动创建了多个token。 2、点击Generate new token 创建新的token 注意创建token时需勾选repo, gist, read:org, workflow权限。 token只会在创建后展示一次,之后将无法看到,请注意及时复制保存。 参考: https://docs.github.c
git 密码问题解决方案
努力coding
03-17 794
在git上传本地文件,需要输入username and password的时候,会遇到这个问题:remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead. 下面是解决方案: 在github上,你原先的密码凭证从2021年8月13日开始就不能用了,必须使用个人访问令牌(personal access token),就是把你的密码替换
swagger oauth2 php,Springboot Oauth2 集成Swagger2权限验证实战
weixin_32103009的博客
04-16 219
Swagger是什么?能干什么?在这就不展开讲解了。本文主要讲解如何集成OAuth2的Password模式权限验证,验证接口是否具有权限。引入依赖io.springfoxspringfox-swagger22.9.2io.springfoxspringfox-swagger-ui2.9.22.SwaggerConfig配置package com.entfrm.core.swagger.config...
SpringSecurityOAuth2(8) swagger2 集成OAuth2
08-05 1578
GitHub地址 码云地址 swagger是一款优雅的接口api展示工具,在这里我们具体不展开讲解,有兴趣的自行百度。 该篇文章主要讲解的是如何集成OAuth2的验证即在请求中添加token,验证接口是否具有权限。 方式一:在每个请求上加一个Authorization 窗口自己手动输入toke...
oauth2使用password模式获取access_token
热门推荐
吴国凯的博客
05-21 2万+
oauth2获取access_token的几种方式:   简化模式(implicit):在redirect_url中传递access_token,oauth客户端运行在浏览器中。 密码模式(password):将用户名和密码传过去,直接获取access_token。 客户端模式(client credentials):用户向客户端注册,然后客户端以自己的名义向“服务端”获取资源。 授权码...
spring security实战 5-使用密码模式(password grant type)保护资源
weixin_34198797的博客
07-11 1655
写在开篇 本改编课程基于《OAuth 2.0 Cookbook_Protect Your Web Applications using Spring Security-Packt Publishing(2017)》。这本书侧重通过一个个精简的小例子来学习,如何使用spring security和oauth2.0来保护你的资源。 课程从第二...
Oauth支持的5类 grant_type 及说明 authorization_code — 授权码模式(即先登录获取code,再获取token) password — 密码模式(将用户名,密码传
mengzuchao的专栏
12-29 2万+
Oauth支持的5类 grant_type 及说明 authorization_code — 授权码模式(即先登录获取code,再获取token) password — 密码模式(将用户名,密码传过去,直接获取token) client_credentials — 客户端模式(无用户,用户向客户端注册,然后客户端以自己的名义向’服务端’获取资源) impli
OAuth2密码模式提示Unsupported grant type: password
菜鸟的专栏
07-25 1万+
ouath2资源认证服务器已经搭建好,但密码模式访问提示Unsupported grant type: password http://localhost:9001/oauth/token?username=admin&password=admin&grant_type=password&client_id=client&client_secret=secret ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值