“OpenID Connect Dynamic Client Registration 1.0,2. Client Metadata”有一个名为 application_type 的条目,其定义值为原生和 web
application_type
OPTIONAL. Kind of the application. The default, if omitted, is web.
The defined values are native or web. Web Clients using the OAuth
Implicit Grant Type MUST only register URLs using the https scheme
as redirect_uris; they MUST NOT use localhost as the hostname. Native
Clients MUST only register redirect_uris using custom URI schemes or
URLs using the http: scheme with localhost as the hostname.
Authorization Servers MAY place additional constraints on Native
Clients. Authorization Servers MAY reject Redirection URI values
using the http scheme, other than the localhost case for Native
Clients. The Authorization Server MUST verify that all the registered
redirect_uris conform to these constraints. This prevents sharing a
Client ID across different types of Clients.
这些定义的值是否与“RFC 6749(OAuth 2.0),2.1. Client Types”中描述的公开和保密相对应?
OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure
client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the
resource owner, such as an installed native application or a web
browser-based application), and incapable of secure client
authentication via any other means.
如果没有,为什么规范(OpenID Connect Dynamic Client Registration 1.0)没有指定客户端类型的条目?有没有办法在client registration endpoint?
指定客户类型(公共或机密)答案 0 :(得分:5)
如果" 原生客户 "在" OpenID Connect Dynamic Client Registration 1.0,2. Client Metadata"表示" 原生应用 "在" RFC 6749 (OAuth 2.0),2.1 Client Types" (是的,显然是这样),原生客户始终是 公共 客户。
如果" 网络客户端 "在" OpenID Connect Dynamic Client Registration 1.0,2. Client Metadata"表示" 网络应用 "在" RFC 6749 (OAuth 2.0),2.1 Client Types"但不包括" 基于用户代理的应用 ",网络客户端始终 保密的 客户。
使用上述解释, application_type = native 和 application_type = web 分别对应 public 和 Confidential
但是,application_type的要求:
Web Clients using the OAuth Implicit Grant Type MUST only
register URLs using the https scheme as redirect_uris; they
MUST NOT use localhost as the hostname. Native Clients MUST
only register redirect_uris using custom URI schemes or URLs
using the http: scheme with localhost as the hostname.
与客户是否 能够维护其凭据的机密性无关" (来自RFC 6749)。换句话说,重定向URI与如何验证客户端无关。因此,对我来说,应用程序类型和客户端类型是不同的概念。
奇怪的是,所有 OAuth 2.0客户 必须遵守' redirect_uris'要求(一个用于 Web客户端,另一个用于原生客户端),因此,网络'当省略application_type时,将用作默认值。恕我直言,既不是本地的'也不是网络'应该在省略application_type时假设。但是,我可能会遗漏一些东西。是否有任何理由强加“redirect_uris”'所有 OpenID Connect客户端的要求 ?
无论如何,我的结论是应用程序类型和客户端类型不同。我希望将client_type(公共或机密)添加到客户端元数据列表中,并且不会将“本地”或“机密”添加到“客户端元数据”列表中。也不是网络'当{_ 3}}中没有包含application_type时,它被用作默认值。