问题描述

这是知道问题 Instant Flow遇到了困惑的问题，因此您必须检查是否将收到的access_token授予了您的应用程序.

It's a know problem that Instant Flow struggles from confused problem, so you have to check whether access_token you received was given to your application.

我一直认为授权代码流程不是问题，但在此答案中，有人提到并非如此，即使在授权令牌"流程中，您也必须验证令牌.

I always considered it's not a problem for Authorization Code flow but in this answer it was mentioned it is not so and you have to verify token even in Authorization Token flow.

但是说实话，我无法弄清楚必要的工作流程.就像我们收到一个代码，然后直接请求令牌(指定client_secret).我不明白如何在此流程中强制我们使用错误的令牌.

But honestly I can't figure out a workflow where it's necessary. Like we receive a code and then make direct request for a token (specifying client_secret). I don't understand how we could be forced to use a wrong token in this flow.

推荐答案

您所引用的答案涉及传递​​给资源服务器的access_token.这通常也适用于混淆的代理人"问题.

The answer that you refer to talks about an access_token delivered to a Resource Server. That is also in general where the "confused deputy" issue applies.

在您的帖子中，您指的是交付给客户的授权码.这是不同的，并且不会像所描述的那样遭受相同的混淆副攻击.

In your post you refer to the Authorization Code delivered to the Client. That is different and does not suffer from the same confused deputy attack as described.

请注意，尽管授权代码授予类型可能容易受到相关攻击("授权服务器混合"):客户端无法检测到授权代码实际上是由以下人员发出的:它认为与之对话的AS.注册专用于每个AS的重定向URI可以解决此问题.

It should be noted though that the Authorization Code grant type may be vulnerable to a related attack ("Authorization Server Mixup") if the Client talks to multiple Authorization Servers (AS) somewhat for the same reason: the Client is not able to detect if the Authorization Code is actually issued by the AS that it thinks it talks to. Registering a Redirect URI that is specific for each AS addresses this.

这篇关于如果授权代码流了，我们应该检查令牌吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！