我是OAuth2概念的新手。我想在我的应用程序中实现它。此应用程序提供REST API。我接受了一些教程,做了一些研究,并在我的应用程序中以工作状态实现了它。
但在进行一些搜索时,我读到了OAuth2中不同类型的grant_type。我试图了解这一点,但没有得到实际的差异,我应该用它来保护REST API。
所以我想知道对于grant_type类型“password”,“client_credential”等应该使用哪种情况,或哪些应该用于保护REST API?
同样在某些地方,我发现/oauth/token的请求不同。
有些地方Authorization标题为Basic 'some_encoded_string'。
在某些地方,它是Bearer'seat_encoded_string'。这些要求的区别是什么?
总结一下,我有两个问题 -
对于grant_type类型“password”,“client_credential”等应该使用哪种场景,或哪些应该用于保护REST API?
从/oauth/token请求令牌的方式有何不同。
了解我在实施spring-security-oauth2方面的知识。
答案 0 :(得分:3)
The grant you need to use depends on your use case and the nature of the client application accessing your resources. There isn't a grant that applies a REST APIresource in general. You'd need to provide more information on what the APIs are and how you interact with them.
If a user has to give their permissions for a client to access an API, then you would normally use an "authorization code" grant. If the client accesses the resource directly without the intervention of an end user then it would normally use the "client credentials" grant.
You should avoid using the password grant in most cases, since it means the user has to provide their username and password to the client application. If the application can use another grant, such as authorization code, then that is preferable. A trusted application, such as a native application which the user installs on their computer, would be one situation where the password grant might be used.
A client would normally use "Basic" authentication to access the token endpoint. "Bearer" authentication is use to access a protected resource (such as your API), passing the access token it obtained from the authorization server.
Why do you think you need to use OAuth2 at all? I'm curious since you say you don't understand what the grant types are for. You really need to understand this before you can make a judgement about how you would use OAuth2 or why.