Tak*_*aki 5 openid oauth oauth-2.0
“ ID连接动态客户端注册1.0,2.客户端元 ”有一个条目命名APPLICATION_TYPE,其定义的值是本地和网络。
application_type
OPTIONAL. Kind of the application. The default, if omitted, is web.
The defined values are native or web. Web Clients using the OAuth
Implicit Grant Type MUST only register URLs using the https scheme
as redirect_uris; they MUST NOT use localhost as the hostname. Native
Clients MUST only register redirect_uris using custom URI schemes or
URLs using the http: scheme with localhost as the hostname.
Authorization Servers MAY place additional constraints on Native
Clients. Authorization Servers MAY reject Redirection URI values
using the http scheme, other than the localhost case for Native
Clients. The Authorization Server MUST verify that all the registered
redirect_uris conform to these constraints. This prevents sharing a
Client ID across different types of Clients.
这些定义的值是否对应于“ RFC 6749(OAuth 2.0),2.1。客户端类型 ”中描述的公共和机密?
OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure
client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the
resource owner, such as an installed native application or a web
browser-based application), and incapable of secure client
authentication via any other means.
如果不是,为什么规范(OpenID Connect动态客户端注册1.0)没有条目来指定客户端类型?有什么方法可以在客户端注册端点指定客户端类型(公共或机密)?
如果“ OpenID Connect动态客户端注册1.0、2 ”中的“本机客户端 ” ,则客户端元数据在“ RFC 6749(OAuth 2.0),2.1客户端类型 ”中(显然是)是“ 本机应用程序 ” ,则本机客户端始终是公共客户端。
如果“ Web客户机 ”,在“ ID连接动态客户端注册1.0,2.客户机元数据 ”是指“ web应用程序 ”中的“ RFC 6749(的OAuth 2.0) ,2.1客户端类型 ”,但不包括“ 基于用户代理应用程序 ”,Web客户端始终是机密客户端。
使用以上解释,application_type = native和application_type = web分别对应于public和secret。
但是,application_type的要求:
Web Clients using the OAuth Implicit Grant Type MUST only
register URLs using the https scheme as redirect_uris; they
MUST NOT use localhost as the hostname. Native Clients MUST
only register redirect_uris using custom URI schemes or URLs
using the http: scheme with localhost as the hostname.
与客户端是否“ 能够维护其凭据的机密性 ”(来自RFC 6749)无关。换句话说,重定向URI与如何验证客户端无关。因此,在我看来,应用程序类型和客户端类型是不同的概念。
奇怪的是,所有OAuth 2.0客户端都必须符合两个'redirect_uris'要求(一个用于Web客户端,另一个用于本机客户端),因此当application_type用作默认值时,将'web'用作默认值可能是不合适的被省略。恕我直言,当省略application_type时,不应假定是“本机”或“ web”。但是,我可能会缺少一些东西。是否有任何理由对所有OpenID Connect客户端强加“ redirect_uris”要求?
无论如何,我的结论是应用程序类型和客户端类型是不同的。我希望将client_type(公共或机密)添加到客户端元数据列表中,并且当客户端注册请求中不包含application_type时,都不将“ native”或“ web”用作默认值。
| 归档时间: |
|
| 查看次数: |
1087 次 |
| 最近记录: |