Nuxt SPA 使用 Password Grant Tokens 有什么问题
What's the problem of using Password Grant Tokens for Nuxt SPA
我想开发一个以 Laravel 作为后端的 Nuxt SPA。阅读 Passport 文档,现在对以下段落感到困惑,因为我不想将用户重定向到后端登录页面:
Authorization Code Grant with PKCE
The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API. This grant should be used when you can't guarantee that the client secret will be stored confidentially or in order to mitigate the threat of having the authorization code intercepted by an attacker. A combination of a "code verifier" and a "code challenge" replaces the client secret when exchanging the authorization code for an access token.
在客户端浏览器中发出以下请求并在客户端浏览器中保存令牌有什么问题?
http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => 'taylor@laravel.com',
'password' => 'my-password',
'scope' => '',
],
最新的 OAuth 2.0 Security Best Current Practice 完全不允许密码授予。
“资源所有者密码凭据授予 不得使用 。这种授予类型不安全地将资源所有者的凭据暴露给客户端。即使客户端是良性的,这导致攻击面增加(凭据可能会泄漏到更多地方,而不仅仅是 AS)并且用户被训练在 AS 以外的地方输入他们的凭据。
此外,将资源所有者密码凭据授予双因素身份验证、使用加密凭据进行身份验证以及需要多个步骤的身份验证过程可能很难或不可能 (WebCrypto, WebAuthn)。"
我想开发一个以 Laravel 作为后端的 Nuxt SPA。阅读 Passport 文档,现在对以下段落感到困惑,因为我不想将用户重定向到后端登录页面:
Authorization Code Grant with PKCE
The Authorization Code grant with "Proof Key for Code Exchange" (PKCE) is a secure way to authenticate single page applications or native applications to access your API. This grant should be used when you can't guarantee that the client secret will be stored confidentially or in order to mitigate the threat of having the authorization code intercepted by an attacker. A combination of a "code verifier" and a "code challenge" replaces the client secret when exchanging the authorization code for an access token.
在客户端浏览器中发出以下请求并在客户端浏览器中保存令牌有什么问题?
http->post('http://your-app.com/oauth/token', [
'form_params' => [
'grant_type' => 'password',
'client_id' => 'client-id',
'client_secret' => 'client-secret',
'username' => 'taylor@laravel.com',
'password' => 'my-password',
'scope' => '',
],
最新的 OAuth 2.0 Security Best Current Practice 完全不允许密码授予。
“资源所有者密码凭据授予 不得使用 。这种授予类型不安全地将资源所有者的凭据暴露给客户端。即使客户端是良性的,这导致攻击面增加(凭据可能会泄漏到更多地方,而不仅仅是 AS)并且用户被训练在 AS 以外的地方输入他们的凭据。
此外,将资源所有者密码凭据授予双因素身份验证、使用加密凭据进行身份验证以及需要多个步骤的身份验证过程可能很难或不可能 (WebCrypto, WebAuthn)。"