https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

The Password grant is used when the application exchanges the user’s username and password for an access token. This is exactly the thing OAuth was created to prevent in the first place, so you should never allow third-party apps to use this grant.

A common use for this grant type is to enable password logins for your service’s own apps. Users won’t be surprised to log in to the service’s website or native application using their username and password, but third-party apps should never be allowed to ask the user for their password.

Request Parameters

The access token request will contain the following parameters.

  • grant_type (required) – The grant_type parameter must be set to “password”.
  • username (required) – The user’s username.
  • password (required) – The user’s password.
  • scope (optional) – The scope requested by the application.
  • Client Authentication (required if the client was issued a secret)

If the client was issued a secret, then the client must authenticate this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.

Example

The following is an example password grant the service would receive.

POST /oauth/token HTTP/1.1
Host: authorization-server.com
 
grant_type=password
&username=user@example.com
&password=1234luggage
&client_id=xxxxxxxxxx
&client_secret=xxxxxxxxxx

See Access Token Response for details on the parameters to return when generating an access token or responding to errors.

GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 77e99b5f-d31e-4379-a64c-ddc511d42781
grant_type=passwordusername=adminpassword=passwordundefined=undefined

To allow only the grant types you want it's enough to inherit from OAuthAuthorizationServerProvider. Then you need to override two methods:

  • ValidateClientAuthentication - to validate that the origin of the request is a registered client_id
  • GrantResourceOwnerCredentials - to validate provided username and password when the grant_type is set to password

For more information here is the documentation of GrantResourceOwnerCredentials method:

Called when a request to the Token endpoint arrives with a "grant_type" of "password". This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token". If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate. To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token. The application should take appropriate measures to ensure that the endpoint isn’t abused by malicious callers. The default behavior is to reject this grant type.

需要注意的是:

client_credentials

Called when a request to the Token endpoint arrives with a "grant_type" of "password".

This occurs when the user has provided name and password credentials directly into the client application's user interface, and the client application is using those to acquire an "access_token" and optional "refresh_token".

If the web application supports the resource owner credentials grant type it must validate the context.Username and context.Password as appropriate.

To issue an access token the context.Validated must be called with a new ticket containing the claims about the resource owner which should be associated with the access token.

The default behavior is to reject this grant type. See also http://tools.ietf.org/html/rfc6749\#section-4.3.

经过测试,发现下面这个才是有效的

GET /Chuck_WebApi/oauth/token HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: ce49a101-df6e-4b7c-9217-e112b387b784
grant_type=client_credentialsusername=adminpassword=password

换了另外一种

GET http://localhost/Chuck_WebApi/oauth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
cache-control: no-cache
Postman-Token: 3b870eb3-1c29-4b5e-9dcd-297e3f582c27
User-Agent: PostmanRuntime/7.6.0
Accept: */*
Host: localhost
accept-encoding: gzip, deflate
content-length: 75
Connection: keep-alive

grant_type=password&username=admin&password=password&client_id=testClientId

AccessToken-->Password Grant的更多相关文章

  1. Dynamics 365本地部署版本配置OAuth 2 Password Grant以调用Web API

    微软动态CRM专家罗勇 ,回复330或者20190504可方便获取本文,同时可以在第一间得到我发布的最新博文信息,follow me! 根据官方建议,不要再使用Dynamics 365 Custome ...

  2. 基于OWIN WebAPI 使用OAuth授权服务【客户端验证授权(Resource Owner Password Credentials Grant)】

    适用范围 前面介绍了Client Credentials Grant ,只适合客户端的模式来使用,不涉及用户相关.而Resource Owner Password Credentials Grant模 ...

  3. IdentityServer4之Resource Owner Password Credentials(资源拥有者密码凭据许可)

    IdentityServer4之Resource Owner Password Credentials(资源拥有者密码凭据许可) 参考 官方文档:2_resource_owner_passwords ...

  4. My sql添加远程用户root密码为password

    添加远程用户root密码为password grant all privileges on *.* to root@localhost identified by '123321' with gran ...

  5. springboot+spring security +oauth2.0 demo搭建(password模式)(认证授权端与资源服务端分离的形式)

    项目security_simple(认证授权项目) 1.新建springboot项目 这儿选择springboot版本我选择的是2.0.6 点击finish后完成项目的创建 2.引入maven依赖  ...

  6. IdentityServer Resource Owner Password

    Resource Owner Password 模式需要自己实现用户名密码的校验 新增ResourceOwnerPasswordValidator实现IResourceOwnerPasswordVal ...

  7. 转 - spring security oauth2 password授权模式

    原贴地址: https://segmentfault.com/a/1190000012260914#articleHeader6 序 前面的一篇文章讲了spring security oauth2的c ...

  8. SpringBoot2.x版本整合SpringSecurity、Oauth2进行password认证

    很多人在进行项目开发时都会用到Oauth2.0结合SpringSecurity或者Shiro进行权限拦截以及用户验证,网上也有很多的案例,前几天项目里边需要用到,顺便整合了进来,特此写篇博客,记录下过 ...

  9. mysql安装后改动port号password默认字符编码

    1.改动password grant all privileges on *.* to 'root'@'localhost' identified by 'new password'; 2.改动por ...

随机推荐

  1. HDU4686—Arc of Dream

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=4686 题目意思:给出一个n,算这个式子,给出A0,B0,AX,AY,然后存在以下的递推关系. a0 = ...

  2. inode file 结构

    inode位图(inode Bitmap) 和块位图类似,本身占一个块,其中每个bit表示一个inode是否空闲可用. inode表(inode Table) 我们知道,一个文件除了数据需要存储之外, ...

  3. C++应该被看成是个语言集合——四种语言(C语言,OO语言,泛型语言,STL)

    至少有三种语言: 一,C++ is C 二,C++ is an OO language 三,C++ is a genetic programming language 有的童鞋觉得难,可能是没有看清楚 ...

  4. Hive简介及使用

    一.Hive简介 1.hive概述 Apache Hive™数据仓库软件有助于使用SQL读取,编写和管理驻留在分布式存储中的大型数据集. 可以将结构投影到已存储的数据中.提供了命令行工具和JDBC驱动 ...

  5. 排序算法review<1>--直接插入排序

    简单插入排序的基本思想:对于原待排序记录中的第i(1<=i<=n-1)个元素Ki,保证其前面的i个元素已经是有序的,要在这前i个元素(K0--Ki-1)中找到合适的位置将第i个元素插入,具 ...

  6. FindBugs——帮助查找隐藏的bug

    FindBugs 1.什么是FindBugs FindBugs 是一个静态分析工具,它检查类或者 JAR 文件,将字节码与一组缺陷模式进行对比以发现可能的问题.有了静态分析工具,就可以在不实际运行程序 ...

  7. Avocado 安装和简单测试

    1.Avocado 安装 1.1 通过包安装 像Fedora可以通过rpm包进行安装,其他通过RPM管理的发行版需要自己制作相关包.Avocado同样支持DEP包的安装可以在contrib/packa ...

  8. 宏表达式与函数、#undef、条件编译、

    宏表达式在预编译期被处理,编译器不知道宏表达式的存在. 宏表达式没有任何的调用开销 宏表达式中不能出现递归定义. C语言中强大的内置宏 __FILE__:被编译的文件名 //双底线 __LINE__: ...

  9. django的所有app放在一个文件夹下便于管理

    1.新建一个python Package,名字叫apps 2.拖拽以后的app到apps文件夹下,把Search for references勾选去掉,重要重要重要!!!! 3.右键点击apps文件夹 ...

  10. Java游戏服务器成长之路——感悟篇

    又是一个美好的周末啊,现在一到周末,早上就起得晚,下午困了又会睡一两个小时,上班的时候,早上起来喝一杯咖啡,然后就能高效的工作一整天,然而到了周末人就懒散了,哈哈. 最近刚跳槽,到新公司已经干了有两周 ...