What are the limits of public clients in OAuth 2.0 -


oauth 2.0 specifies 2 client types:

  • public (client_id)
  • confidential (client_id:client_secret)

and section 2.2 says:

the client identifier not secret; exposed resource owner , must not used alone client authentication.

while clear me public clients used implicit flow, there more seems. when performing auth code flow, first request authorization endpoint our client_id, no secret required. then, after getting user's consent , authorize code, request token endpoint. according spec, able request endpoint without client_secret:

client_id      required, if client not authenticating      authorization server described in section 3.2.1.

if client type confidential or client issued client credentials (or assigned other authentication requirements), client must authenticate authorization server described in section 3.2.1.

...

the authorization server must:

... o ensure authorization code issued authenticated   confidential client, or if client public, ensure   code issued "client_id" in request,

so section says able request endpoint without client secret. now, doesn't refresh tokens other may included in request.

refreshing access token mentions:

because refresh tokens typically long-lasting credentials used request additional access tokens, refresh token bound client issued. if client type confidential or client issued client credentials (or assigned other authentication requirements), client must authenticate authorization server described in section 3.2.1.

so we're allowed refresh access token without client authentication.

now, confuses me implicit flow not allow issuing of refresh tokens:

the authorization server must not issue refresh token.

it doesn't explicitly why can't that, we're not allowed to. reasoning isn't allowed because client can't trusted. since authorize code flow allowed public clients, why need implicit flow, if same thing can achieved public client, plus getting refresh token?

i'd glad if clarify this.


Comments

Post a Comment

Popular posts from this blog

Command prompt result in label. Python 2.7 -

i want put result(output) of shell command label. command works, label shows "0", however, in command prompt, result shown correctly, need showed in label. doing ubuntu. myg1 = button(root, text="rodyti informacija", command=lambda: gauti()) myg1.pack(side=bottom) def gauti(): imti = tekstas.get("1.0", "end-1c") info = subprocess.call("id '{imti}' ".format(imti=imti), shell=true) w = label(root, text= info) w.pack(side = bottom) subprocess.call() returns exit code of process created (in case 0 success). if want text output of process, should instead call subprocess.check_output() .
Read more

javascript - How do I use URL parameters to change link href on page? -

i change href value of link using url parameters. example: default <a id="dlink" href="link-1">link</a> but, when user goes https://url.com/?dlink=link-2 it swaps out link new link <a id="dlink" href="link-2">link</a> first need value url. if you're not using javascript framework can create function using jquery. please check get url parameter jquery or how query string values in js it. after that, element "a" id , set value there. $("#dlink").attr("href", hreffromparam);
Read more

amazon web services - AWS Route53 Trying To Get Site To Resolve To www -

so have domain nameservers pointed aws route 53. site hosted on ec2 instance , reachable resolves site.com, if input www.site.com. i'm curious how site resolve www.site.com. have under route53 domains hosted zone 2 additional record sets outside of ns , soa: a site.com ec2 elastic ip cname www.site.com ec2 public dns i can reach site using both site.com , www.site.com, resolve site.com. there way make if enter either, resolves www.site.com? at first, both should record set. a site.com ec2 elastic ip www.site.com ec2 elastic ip and need redirect setting in web server (nginx, apache, ..) following. (source: how redirect www non-www nginx on centos 7 ) redirect non-www www if want redirect users plain, non-www domain www domain, add server block: server { server_name example.com; return 301 $scheme://www.example.com$request_uri; } save , exit. configures nginx redirect requests "example.com" "www.example.com". not
Read more