• ASP.NET OAuth Authorization


     

    What I don't fully understand is the use of ClientId and Secret vs Username and Password. The code I pasted generates a token by username and password and I can work with that token (until it expires), but when I try to get a refresh token, I must have the ClientId.

    Also, if a token expires, the correct way is to send the refresh token and get a new token? What if the refresh token gets stolen? isn't it the same as a username & password getting stolen?

    In OAuth2 is essential to authenticate both the user and the client in any authorization flow defined by the protocol. The client authentication (as you may guess) enforces the use of your API only by known clients. The serialized access token, once generated, is not bound to a specific client directly. Please note that the ClientSecret must be treated as a confidential information, and can be used only by clients that can store this information in some secure way (e.g. external services clients, but not javascript clients).

    The refresh token is simply an alternative "grant type" for OAuth2, and, as you stated correctly, will substitute the username and password pair for a User. This token must be treated as confidential data (even more confidential than the access token), but gives advantages over storing the username & password on the client:

    • it can be revoked by the user if compromised;
    • it has a limited lifetime (usually days or weeks);
    • it does not expose user credentials (an attacker can only get access tokens for the "scope" the refresh token was issued).

    I suggest you to read more about the different grant types defined in OAuth 2 checking in the official draft. I also recommend you this resource I found very useful when firstly implemented OAuth2 in Web API myself.

    Sample requests

    Here are two request examples using fiddler, for Resource Owner Password Credentials Grant:

    and for Refresh Token Grant:

    https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

  • 相关阅读:
    vue学习简单入门
    Python3基础学习
    MySQL数据库索引详解
    使用nginx部署多个前端项目
    基于SpringBoot2.x和tkMapper快速搭建微服务项目脚手架工程
    安装篇-Linux安装maven3.5.2
    安装篇-安装maven3.6.1
    安装篇-安装Idea2019.3.3
    安装篇-jdk1.8安装
    【错误解决】Intellj(IDEA) warning no artifacts configured
  • 原文地址:https://www.cnblogs.com/chucklu/p/10346388.html
Copyright © 2020-2023  润新知