Red Hat,Deutsche Telekom和其他人已经按照这篇文章和下面的IETF OAuth邮件列表发布了这种方式.
> https://aaronparecki.com/oauth-2-simplified/
Implicit was prevIoUsly recommended for clIEnts without a secret,but has been superseded by using the Authorization Code grant with no secret.
…
PrevIoUsly,it was recommended that browser-based apps use the “Implicit” flow,which returns an access token immediately and does not have a token exchange step. In the time since the spec was originally written,the industry best practice has changed to recommend that the authorization code flow be used without the clIEnt secret. This provIDes more opportunitIEs to create a secure flow,such as using the state parameter. References: 07001,07002,07003.
以下是上面引用的消息.
Red Hat
For our IDP [1],our JavaScript library uses the auth code flow,but requires a public clIEnt,redirect_uri valIDation,and also does CORS checks and processing. We dID not like Implicit Flow because
1) access tokens would be in the browser history
2) short lived access tokens (seconds or minutes) would require a browser redirect
Deutsche Telekom
Same for Deutsche Telekom. Our JavaScript clIEnts also use code flow with CORS processing and of course redirect_uri valIDation.
SMART Health IT
解决方法 2018年底,公共客户(SPA申请)的范式发生了很大变化.之前推荐的隐含流量受到原始问题引用的一些政党的批评. 2018年12月,出版了两份IETF草案,描述了可能的攻击媒介和最佳实践.两者都建议使用授权代码流而不是隐式流.We’ve taken a similar approach for SMART Health IT [1],using the code flow for public clIEnts to support in-browser apps,and <1h token lifetime. (We also allow these public clIEnts to request a limited-duration refresh token by asking for an “online_access” scope; these refresh tokens stop working when the user’s session with the AS ends — useful in systems where that session concept is meaningful.)
https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-00
以上是内存溢出为你收集整理的oauth-2.0 – 使用没有客户端密钥的授权代码替换OAuth2隐式授权全部内容,希望文章能够帮你解决oauth-2.0 – 使用没有客户端密钥的授权代码替换OAuth2隐式授权所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)