What is the correct flow when using oAuth with the Reso​urce Owners Password​s Credentials Grant​

问题

i am looking to build a client to my RESTful hypermedia based API and after reviewing many options am learning towards oAuth* to become the de facto method for authorizing access to the API.

I think i am understanding the overall oauth concepts, i.e. depending on the client (trusted or not) the spec provides several flows in order to "trust" the client (application) from the perspective of the resource owner (user) granting access to the client.

Becuase the application i am building is directly part of the ecosystem of the service it will fall under the umbrella of the trusted clients section so i have decided to implement the Resource Owners Password​s Credentials Grant but here is where my knowledge gets muddied with the terms and the exact role oAuth is there to provide and my brain shuts off :)

I am thinking this is the flow (with some more technical thoughts):

1. Via a login form the resource owner supplies their credentials
2. the details are posed to a server (in this case an express.js app)
3. the app via some local mechanisms authenticates the user credentials against a store
4. if the user doesn't exist or fails validation then they are returned to the login
5. if the user does exists and does pass validation the mechanisms to swap their credentials for a token is started (contacting a oAuth server and swapping the details) which stores the encrypted/hashed infor somewhere (redis maybe?)
6. Once the token is returned it is stored in maybe a session for persistence to the client (i think trello.com do something similar as they have a token cookie but i could be very wrong here)

Is this an acceptable flow? i can't seem to find any examples available and as a sole developer currently would be good to get some feedback.

​

回答1:

No need in the end to define my own flow, this is simply the Resource Owner Password Grant where we exchanged the credentials of the user for a oAuth Token for trusted clients.

来源：https://stackoverflow.com/questions/15806822/what-is-the-correct-flow-when-using-oauth-with-the-resource-owners-passwords-c