Difference between grant_type=client_credentials and grant_type=password in Authentication Flow?

时光毁灭记忆、已成空白 提交于 2019-12-01 01:03:16

问题


I would like to understand the difference between grant_type=client_credentials and grant_type=password in Authentication or in OAuth2 Flow concept. I am following below sites:

  • http://help.atavist.com/api:authentication
  • http://apiwiki.poken.com/authentication/oauth2

I presume grant_type=password in not secure way as far as using gran_type in JavaScript development. But I still wounder can someone help to understand this concept.

I also observe that grant_type=client_credentials doesn't provide "refresh_token", it only provides access_token where as grant_type=password provides both access_token and refresh_token.

Hoping to get detailed explanation. I am using WSO2 API Manager for OAuth2 for my application development


回答1:


Resource owner credentials grant (password grant type)

When this grant is implemented the client itself will ask the user for their username and password (as opposed to being redirected to an IdP authorisation server to authenticate) and then send these to the authorisation server along with the client’s own credentials. If the authentication is successful then the client will be issued with an access token.

This grant is suitable for trusted clients such as a service’s own mobile client (for example Spotify’s iOS app). You could also use this in software where it’s not easy to implement the authorisation code - for example we bolted this authorisation grant into OwnCloud so we could retrieve details about a user that we couldn’t access over LDAP from the university’s Active Directory server.

Client credentials grant

This grant is similar to the resource owner credentials grant except only the client’s credentials are used to authenticate a request for an access token. Again this grant should only be allowed to be used by trusted clients.

This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Another example would be a client making requests to an API that don’t require user’s permission.

When someone visits a member of staff’s page on the University of Lincoln staff directory the website uses its own access token (that was generated using this grant) to authenticate a request to the API server to get the data about the member of staff that is used to build the page. When a member of staff signs in to update their profile however their own access token is used to retrieve and update their data. Therefore there is a good separation of concerns and we can easily restrict permissions that each type of access token has.



来源:https://stackoverflow.com/questions/34842895/difference-between-grant-type-client-credentials-and-grant-type-password-in-auth

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!