在OAuth2.0中使用Facebook访问令牌作为资源所有者凭证
OAuth 2.0规范定义了资源所有者密码凭据授予类型,它允许将资源所有者的密码凭据(即用户名和密码)直接用作获得访问令牌的授权授予.
The OAuth 2.0 specification defines the Resource Owner Password Credentials Grant Type, which allows the resource owner password credentials (i.e. username and password) to be used directly as an authorization grant to obtain an access token.
我希望允许用户在客户端上通过Facebook登录",而不是直接提供凭据.然后,客户端可以将用户的Facebook访问令牌交换为授权服务器的访问令牌.这种方案是否适合OAuth2的框架?
I want to allow a user to 'login via Facebook' on the client instead of providing the credentials directly. The client could then exchange the user's Facebook access token for an access token for the authorization server. Does this scheme fit into the framework of OAuth2?
然后,客户端可以将用户的Facebook访问令牌交换为授权服务器的访问令牌.
The client could then exchange the user's Facebook access token for an access token for the authorization server.
这是否意味着您要记住2个授权服务器(一个是Facebook,另一个是您的私人服务器)?如果是,则-您正在滥用OAuth,应改用授权代码授予"方案.
Does it mean you have 2 Authorization servers (one of Facebook and another - your private one) in mind? If yes - you're abusing OAuth and should use Authorization Code Grant scheme instead.
在OAuth 2.0规范(v25)的图5中,您可以找到工作流程定义:
On Figure 5 from OAuth 2.0 spec (v25) you can find workflow definition:
-
资源所有者向客户端提供其用户名和密码.
The resource owner provides the client with its username and password.
客户端从授权服务器的令牌请求访问令牌 通过包含从资源所有者收到的凭据来实现端点.什么时候 发出请求后,客户端将通过授权服务器进行身份验证.
The client requests an access token from the authorization server's token endpoint by including the credentials received from the resource owner. When making the request, the client authenticates with the authorization server.
授权服务器对客户端进行身份验证并验证资源所有者 凭据,如果有效则颁发访问令牌.
The authorization server authenticates the client and validates the resource owner credentials, and if valid issues an access token.
这是来自Facebook http://developers.facebook.com/docs/guides的报价/web/:
This is a quote from Facebook http://developers.facebook.com/docs/guides/web/ :
为了将用户登录到您的站点,需要发生三件事.首先,Facebook需要对用户进行身份验证.这样可以确保用户就是他们所说的.其次,Facebook需要对您的网站进行身份验证.这样可以确保用户将信息提供给您的网站,而不是其他人.最后,用户必须明确授权您的网站访问其信息.这样可以确保用户确切知道他们要向您的站点公开哪些数据.
In order to log the user into your site, three things need to happen. First, Facebook needs to authenticate the user. This ensures that the user is who they say they are. Second, Facebook needs to authenticate your website. This ensures that the user is giving their information to your site and not someone else. Lastly, the user must explicitly authorize your website to access their information. This ensures that the user knows exactly what data they are disclosing to your site.
在两个地方,您只有一台授权服务器-就您而言是-Facebook.
In both places you have one and only one Authorization server - in your case - the Facebook.