Using a Facebook access token as the resource owner credentials in OAuth2.0

随声附和 提交于 2019-12-12 10:49:47

问题


The OAuth 2.0 specification defines the Resource Owner Password Credentials Grant Type, which allows the resource owner password credentials (i.e. username and password) to be used directly as an authorization grant to obtain an access token.

I want to allow a user to 'login via Facebook' on the client instead of providing the credentials directly. The client could then exchange the user's Facebook access token for an access token for the authorization server. Does this scheme fit into the framework of OAuth2?


回答1:


The client could then exchange the user's Facebook access token for an access token for the authorization server.

Does it mean you have 2 Authorization servers (one of Facebook and another - your private one) in mind? If yes - you're abusing OAuth and should use Authorization Code Grant scheme instead.

On Figure 5 from OAuth 2.0 spec (v25) you can find workflow definition:

  1. The resource owner provides the client with its username and password.

  2. The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.

  3. The authorization server authenticates the client and validates the resource owner credentials, and if valid issues an access token.

This is a quote from Facebook http://developers.facebook.com/docs/guides/web/ :

In order to log the user into your site, three things need to happen. First, Facebook needs to authenticate the user. This ensures that the user is who they say they are. Second, Facebook needs to authenticate your website. This ensures that the user is giving their information to your site and not someone else. Lastly, the user must explicitly authorize your website to access their information. This ensures that the user knows exactly what data they are disclosing to your site.

In both places you have one and only one Authorization server - in your case - the Facebook.



来源:https://stackoverflow.com/questions/10456633/using-a-facebook-access-token-as-the-resource-owner-credentials-in-oauth2-0

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!