为什么 Google OAuth2 需要客户端密码和刷新令牌来获取访问令牌?
Why Google OAuth2 needs client secret and refresh token to get access token?
阅读 Google OAuth2 文档后,我下载了 application_default_credentials.json 并使用它来获取访问令牌(不记名令牌)。
我不确定这是否是 OAuth2 的标准。一些文档显示我们需要刷新令牌和客户端凭据来获取访问令牌,但为什么不直接刷新令牌呢?如果我有客户端凭证,是否意味着我可以直接获取访问令牌?
是的,这是 OAuth2 规范的一部分,您必须将客户端凭据与刷新令牌一起发送。来自 RFC 6749, section 6:
Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server.
阅读 Google OAuth2 文档后,我下载了 application_default_credentials.json 并使用它来获取访问令牌(不记名令牌)。
我不确定这是否是 OAuth2 的标准。一些文档显示我们需要刷新令牌和客户端凭据来获取访问令牌,但为什么不直接刷新令牌呢?如果我有客户端凭证,是否意味着我可以直接获取访问令牌?
是的,这是 OAuth2 规范的一部分,您必须将客户端凭据与刷新令牌一起发送。来自 RFC 6749, section 6:
Because refresh tokens are typically long-lasting credentials used to request additional access tokens, the refresh token is bound to the client to which it was issued. If the client type is confidential or the client was issued client credentials (or assigned other authentication requirements), the client MUST authenticate with the authorization server.