oAuth为什么需要访问令牌?

huangapple go评论60阅读模式
英文:

Why does oAuth need access tokens?

问题

平台有用户和用户ID,外部应用程序也可以用用户ID表示。就像用户可以授予其他用户对其资源的访问权限(读取、写入等),他们也可以对应用程序执行相同的操作。

那么,为什么外部应用程序不能简单地使用自己的用户ID(API密钥)和带有应用程序自己的密钥的HMAC(或使用其私钥对每个请求进行签名)来对其请求进行身份验证?用户可以通过访问与授予其他用户访问权限相同的控制面板来管理“OAuth”应用程序的权限/范围。

OAuth 通过拥有此访问令牌有什么优势?我唯一看到的访问令牌或JWT的优势是可以跳过对授权服务器的I/O请求,就像使用能力而不是访问控制列表一样。但这不是不安全吗?无论如何,如果您必须检查访问令牌的撤销,您仍然必须执行相同数量的I/O。

基本上,我在问为什么OAuth应用程序不能简单地跳过访问令牌,因为平台无论如何都知道哪个应用程序正在请求哪个资源?

英文:

Platforms have users with a userId, and the external app can also be represented as a user with a userId. Just as users can grant other users access (read, write etc) to their resources, they can do that with apps, too.

So why can’t an external app simply authenticate its requests with the platform, by using its own userId (API key) and HMAC with the app’s own secret (or sign each request with its private key)? The user can manage permissions / scopes of the “oAuth” app by visiting the same control panel they would by granting any other user access.

What advantage does oAuth have by having this access token? The only advantage I see with access tokens or JWTs is that you can skip the I/O request to the authorization server, like using capabilities rather than Access Control Lists. But isn’t this just less secure — and anyway if you have to check access token revocations, you still have to do the same amount of I/O.

Basically I’m asking why can’t oAuth apps simply skip the access tokens since the platform knows what app is requesting what resource anyway?

答案1

得分: 2

authorization_code流程中,是用户授予第三方对他们信息的访问权限。

客户端代表用户行事,而不是代表自己。

想象一下,您正在使用直接与API通信的桌面应用程序或Web应用程序。如果桌面应用程序中的凭据对于每个授予客户端访问权限的用户都有效,那将是一个重大问题。

例如,我使用Thunderbird,它使用OAuth2来与Gmail进行身份验证。Gmail返回一个访问令牌,限制了Thunderbird仅能访问我的电子邮件,而不是每个曾经授予访问权限的其他电子邮件帐户。

英文:

In authorization_code flow, it is the user that grants a 3rd party access to their information.

The client acts on behalf of the user, not itself.

Imagine you're using a desktop application or web application that directly talks to an API. If the credentials in the desktop application would be valid for every user that has granted access to to client, it would be a major issue.

For example, I use Thunderbird and it uses OAuth2 to authenticate with gmail. Gmail sends back an access token that limits Thunderbird to only access my email and not every other email account that has ever given access.

huangapple
  • 本文由 发表于 2023年5月14日 11:49:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76245730.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定