Grant Tipleri Nedir
Tipler şöyle
1. Authorization Code Grant
2. Implicit Grant
3. Resource Owner Credentials Grant - Password Grant
4. Client Credentials Grant
5. Refresh Token Grant
Tipler şöyle
1. Authorization Code Grant
2. Implicit Grant
3. Resource Owner Credentials Grant - Password Grant
4. Client Credentials Grant
5. Refresh Token Grant
OAuth 2.1 İle Farkı
Açıklaması şöyle
Following lists down a set of changes OAuth 2.1 introduces on top of OAuth 2.0.- The authorization code grant is extended with the functionality from PKCE (RFC7636) such that the default method of using - the authorization code grant according to this specification requires the addition of the PKCE parameters- Redirect URIs must be compared using exact string matching- The Implicit grant (response_type=token) is omitted- The Resource Owner Password Credentials grant is omitted- Bearer token usage omits the use of bearer tokens in the query string of URIs- Refresh tokens should either be sender-constrained or one-time use- In addition to the confidential and public client types in OAuth 2.0, 2.1 introduces another new client type: credentialed.
Yani sadece
- Authorization Code Grant
- Client Credentials Grant
- Refresh Token Grant
kaldı
1. Authorization Code Grant Nedir
OAuth2 Authorization Code Grant yazısına taşıdım
2. Implicit Grant Nedir
Bu akış OAuth2.1 ile deprecate edildi.Açıklaması şöyle. Authorization Code Grant'in biraz daha basitleştirilmiş hali. Authorization Token yerine direkt Access Token veriliyor.
3. Resource Owner Credentials Grant (Yani Password Grant) Nedir
Bu akış OAuth2.1 ile deprecate edildi.
... when the client redirects you to the authorization server's login page and the moment you authorize the client ..., the authorization server grants the client access token. Unless you are left with no options, please prefer using the authorization code grant because it is a more secure way to authenticate the third party sites.
Akış şöyle
+--------+ +---------------+
| |<-(B)-- Authorization Grant ---| Resource |
| | | Owner |
| | | |
| | +---------------+
| |
| | +---------------+
| |--(A)- Authorization Request ->| Authorization |
| Client | | Server |
| |<-(c)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(D)----- Access Token ------>| Resource |
| | | Server |
| |<-(E)--- Protected Resource ---| |
+--------+ +---------------+Bu akış OAuth2.1 ile deprecate edildi.
Açıklaması şöyle. Burada aslında Authorization Server login işlemi için kullanılıyor. Yani authorization amaçlı değil, authentication amaçlı
Requires logging in with a username and password. In that case, the credentials will be a part of the request. This flow is suitable only for trusted clients (for example, official applications released by the API provider).
Örnek - keycloak
Kullanıcı kim olduğunu, ismini ve şifresini gönderir. Şöyle yaparız.
curl -X POST \ http://localhost:8080/oauth/token \ -H 'authorization: Basic c3ByaW5nLXNlY3VyaXR5LW9hdXRoMi1yZWFkLXdyaXRlLWNsaWVudDpzcHJpbmctc2VjdXJpdHktb2F1dGgyLXJlYWQtd3JpdGUtY2xpZW50LXBhc3N3b3JkMTIzNA==' \ -F grant_type=password \ -F username=admin \ -F password=admin1234 \ -F client_id=spring-security-oauth2-read-write-client
Örnek - keycloak
keycload sunucusundan şifremizi almak için şöyle yaparız
# Connect to Keycloak
./kcadm.sh config credentials --server http://localhost:8080
--realm master --user admin --password admin
# Get clientId
./kcadm.sh get clients -r spring-boot-keycloak --fields id,clientId
# Get clientSecret
./kcadm.sh get clients/{CLIENT_ID_FROM_PREVIOUS_COMMAND}/client-secret
-r spring-boot-keycloakŞöyle yaparız
curl --location --request POST 'http://localhost:8080/realms/spring-boot-keycloak/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'username=john.smith' \
--data-urlencode 'password=password' \
--data-urlencode 'client_id=spring-boot-keycloak-country-api-client' \
--data-urlencode 'client_secret={CLIENT_SECRET_FROM_PREVIOUS_STEP}' \
--data-urlencode 'grant_type=password'Cevap şöyle
{
"access_token": "{HERE_YOU_GET_AN_ACCESS_TOKEN}",
"expires_in": 300,
"refresh_expires_in": 1800,
"refresh_token": "{HERE_YOU_GET_A_REFRESH_TOKEN}",
"token_type": "Bearer",
"not-before-policy": 0,
"session_state": "{HERE_YOU_GET_A_SESSION_STATE}",
"scope": "profile email"
}Artık access_token ile bir Resource Server'a istekte bulunuruz. Şöyle yaparız
curl --location --request GET 'http://localhost:8085/countries' \
--header 'Authorization: Bearer {ACCESS_TOKEN_FROM_PREVIOUS_STEP}'Örnek - Azure
Şöyle yaparız
URI https://login.microsoftonline.com/<tenant-id>/oauth2/tokenMethod - POSTForm urlencoded bodygrant_type=passwordusername=<username>password=<password>resource=<clientId>client_id=<clientId>
Doğrulama işlemi başarılı ise karşılığında bir nesne gelir. Açıklaması şöyle
The authorization server will respond with a JSON object containing the following properties:Access token içinde scope alanında yetkiler (read, write yetkisi gibi) tanımlıdır.
- token_type with the value Bearer
- expires_in with an integer representing the TTL of the access token
- access_token the access token itself
- refresh_token a refresh token that can be used to acquire a new access token when the original expires
Akış şöyle
+----------+
| Resource |
| Owner |
| |
+----------+
v
| Resource Owner
(A) Password Credentials
|
v
+---------+ +---------------+
| |>--(B)---- Resource Owner ------->| |
| | Password Credentials | Authorization |
| Client | | Server |
| |<--(C)---- Access Token ---------<| |
| | (w/ Optional Refresh Token) | |
+---------+ +---------------+
4. Client Credentials Grant Nedir?
OAuth2 Client Credentials Grant yazısına taşıdım
5. Refresh Token Grant
OAuth2 Refresh Token Grant yazısına taşıdım
Hiç yorum yok:
Yorum Gönder