I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens has been developed. Compared to the Authorization Code Grant, it seems to just give up on client authentication for no very compelling reason. How is this "optimized for clients implemented in a browser using a scripting language" (to quote the specification)?
这两个流程的起点是相同的(来源:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-22):
客户端通过将资源所有者的用户代理定向到授权端点来启动流。
授权服务器对资源所有者进行身份验证(通过用户代理),并确定资源所有者是否授予或拒绝客户端的访问请求。
假设资源所有者授予访问权限,授权服务器使用前面提供的重定向URI(在请求中或在客户端注册期间)将用户代理重定向回客户端。
重定向URI包括一个授权代码(授权代码流)
重定向URI在URI片段中包含访问令牌(隐式流)
这里是流分裂的地方。在这两种情况下,此时重定向URI指向客户端托管的某个端点:
In the Authorization code flow, when the user agent hits that endpoint with the Authorization code in the URI, code at that endpoint exchanges the authorization code along with its client credentials for an access token which it can then use as needed. It could, for example, write it into a web page that a script on the page could access.
The Implicit flow skips this client authentication step altogether and just loads up a web page with client script. There's a cute trick here with the URL fragment that keeps the access token from being passed around too much, but the end result is essentially the same: the client-hosted site serves up a page with some script in it that can grab the access token.
因此我的问题是:跳过客户端身份验证步骤可以获得什么?
它可以归结为:如果用户正在运行一个基于浏览器或“公共”(JavaScript)的web应用程序,没有服务器端组件,那么用户隐含地信任该应用程序(以及它运行的浏览器,可能与其他基于浏览器的应用程序……)
没有第三方远程服务器,只有资源服务器。授权代码没有任何好处,因为除了浏览器之外,没有其他代理代表用户。出于同样的原因,客户端凭证没有任何好处。(任何客户端都可以尝试使用此流。)
然而,这对安全的影响是重大的。从https://www.rfc-editor.org/rfc/rfc6749 #节- 10.3:
当使用隐式授权类型时,访问令牌将在中传输
URI片段,这可能会将其暴露给未经授权的一方。
从https://www.rfc-editor.org/rfc/rfc6749 #节- 10.16:
资源所有者可以自愿将对资源的访问委托给
向攻击者的恶意客户端授予访问令牌。这可能
可能是因为网络钓鱼或其他借口…
通常的解释是,当您使用JavaScript客户端时,隐式授权更容易实现。但我认为这种看法是错误的。如果您使用的JavaScript客户端直接通过XMLHttpRequest请求受保护的资源,隐式授权是您唯一的选择,尽管它不太安全
授权码授权提供了额外的安全性,但它仅在web服务器请求受保护资源时才有效。由于web服务器可以存储访问令牌,因此访问令牌暴露在Internet上的风险较小,并且可以发出持续较长时间的令牌。由于web服务器是受信任的,所以可以给它一个“刷新令牌”,所以当旧的访问令牌过期时,它可以获得一个新的访问令牌。
But -- and this is a point that's easy to miss -- the security of the Authorization code flow works only if the web server is protected with a session, which is established with user authentication (login). Without a session, an untrusted user could just make requests to the web server, using the client_id, and it would be the same as if the user had the access token. Adding a session means that only an authenticated user can access the protected resources. The client_id is just the "identity" of the JS webapp, not authentication of said webapp.
这还意味着您可以在OAuth令牌过期之前结束会话。没有使访问令牌失效的标准方法。但是如果你的会话过期了,访问令牌就没用了,因为除了web服务器没有人知道它。如果一个不受信任的用户获得了对会话密钥的访问权,那么他们只能在会话有效期间访问受保护的资源。
如果没有网络服务器,你必须使用隐式授权。但这意味着访问令牌暴露在Internet上。如果一个不受信任的用户获得了它的访问权限,他们可以使用它直到过期。这意味着他们将拥有比授权代码授予更长的访问时间。因此,您可能需要考虑让令牌提前过期,并避免授予对更敏感资源的访问权。
*EDIT: More recently, people are recommending that you avoid using the Implicit grant, even on web apps without a server. Instead you can use the Authorization Code grant configured with an empty secret, along with PKCE. The auth-code grant avoids storing the access token in your browser history, and PKCE avoids exposing it if someone hijacks the redirect URL to steal the auth code. In this case you would need the server to avoid returning a refresh token, since your client probably can't store it securely. And it should issue an access token with the same limitations mentioned above.