在这两种情况下,用户凭据都将被交换为访问令牌。有人可以解释这个区别吗?
的流量说明• User-Agent Flow – for clients running inside a user-agent (typically a web browser).
• Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
• Device Flow – suitable for clients executing on limited devices, but where the end-user has separate access to a browser on another computer or device.
• Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token.
答案 0 :(得分:8)
您在这里混合了客户端和用户凭据。
OAuth上下文中的客户端始终引用获得授权的应用程序。因此,在客户端凭据流中,应用程序直接向提供者授权自己,而无需用户输入任何内容(也称为2-legged flow,因为只涉及两方)。
用户名和密码流是 3-legged-flow 。用户向应用程序提供其用户名和密码,然后应用程序使用这些凭据从提供者请求数据。