问题描述

我一直在考虑使用oauth2客户端凭据授予来保护我的API(所有用户将成为可信任的第三方).我在这里采用与贝宝相同的方法: https://developer.paypal .com/docs/integration/direct/paypal-oauth2/

I've been looking at using oauth2 client credentials grant to secure my API (all users will be trusted 3rd parties). I'm following the same approach as paypal here: https://developer.paypal.com/docs/integration/direct/paypal-oauth2/

但是，我看到HTTP://basic auth用于获取承载令牌.然后，使用承载令牌来保护API调用的安全.

However, I see that HTTP:// basic auth is used to acquire a bearer token. Then the bearer token is used to secure the API calls.

我不了解的是，如果您要信任TLS和http:基本身份验证来检索承载令牌-为什么不只对API调用使用http:基本身份验证呢?使用不记名令牌有什么好处?

What I don't understand is, if you're going to trust TLS and http: basic auth to retrieve the bearer token - why not just use http: basic auth for the API calls? What is the benefit of using bearer tokens?

我想念什么?

推荐答案

根据 OAuth 2.0授权框架:承载令牌使用情况

授权请求并为您提供Bearer令牌的服务器可能与实际控制您尝试访问的资源的服务器不同.

The server that is authorizing the request and giving you the Bearer Token, may be different from the server that actually controls the resources that you are trying to access.

根据RFC，它们已显示为两个不同的实体.给您Bearer令牌的一个是 Authorization Server ，而为资源提供服务的一个是 Resource Server .

As per the RFC, they have been shown as two different entities. The one giving you the Bearer Token is Authorization Server and the one serving the resources is Resource Server.

这篇关于为什么要使用客户凭证流?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！