What I don't fully understand is the use of ClientId and Secret vs Username and Password. The code I pasted generates a token by username and password and I can work with that token (until it expires), but when I try to get a refresh token, I must have the ClientId.

Also, if a token expires, the correct way is to send the refresh token and get a new token? What if the refresh token gets stolen? isn't it the same as a username & password getting stolen?

In OAuth2 is essential to authenticate both the user and the client in any authorization flow defined by the protocol. The client authentication (as you may guess) enforces the use of your API only by known clients. The serialized access token, once generated, is not bound to a specific client directly. Please note that the ClientSecret must be treated as a confidential information, and can be used only by clients that can store this information in some secure way (e.g. external services clients, but not javascript clients).

The refresh token is simply an alternative "grant type" for OAuth2, and, as you stated correctly, will substitute the username and password pair for a User. This token must be treated as confidential data (even more confidential than the access token), but gives advantages over storing the username & password on the client:

  • it can be revoked by the user if compromised;
  • it has a limited lifetime (usually days or weeks);
  • it does not expose user credentials (an attacker can only get access tokens for the "scope" the refresh token was issued).

I suggest you to read more about the different grant types defined in OAuth 2 checking in the official draft. I also recommend you this resource I found very useful when firstly implemented OAuth2 in Web API myself.

Sample requests

Here are two request examples using fiddler, for Resource Owner Password Credentials Grant:

and for Refresh Token Grant:

https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

ASP.NET OAuth Authorization - Difference between using ClientId and Secret and Username and Password的更多相关文章

  1. ASP.NET OAuth、jwt、OpenID Connect

    ASP.NET OAuth.jwt.OpenID Connect 上一篇文章介绍了OAuth2.0以及如何使用.Net来实现基于OAuth的身份验证,本文是对上一篇文章的补充,主要是介绍OAuth与J ...

  2. ASP.NET Core Authorization

    ASP.NET Core Authorization 本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主,当然如果说webapi或者其他的分布式解决方案授权,也容易 ...

  3. ASP.NET没有魔法——ASP.NET OAuth、jwt、OpenID Connect

    上一篇文章介绍了OAuth2.0以及如何使用.Net来实现基于OAuth的身份验证,本文是对上一篇文章的补充,主要是介绍OAuth与Jwt以及OpenID Connect之间的关系与区别. 本文主要内 ...

  4. ASP.NET OAuth 2.0 新手上路

    OAuth2.0资料 初衷:一直想整理授权系列demo,让自己项目高端大尚,列出新手授权系列,帮助小白程序员不用在为授权头疼 OAuth 允许用户提供一个令牌,而不是用户名和密码来访问他们存放在特定服 ...

  5. ASP.NET OAuth:解决refresh token无法刷新access token的问题

    最近同事用iOS App调用Open API时遇到一个问题:在access token过期后,用refresh token刷新access token时,服务器响应"invalid_gran ...

  6. ASP.NET OAuth:access token的加密解密,client secret与refresh token的生成

    在 ASP.NET OWIN OAuth(Microsoft.Owin.Security.OAuth)中,access token 的默认加密方法是: 1) System.Security.Crypt ...

  7. [转]教你实践ASP.NET Core Authorization

    本文转自:http://www.cnblogs.com/rohelm/p/Authorization.html 本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主, ...

  8. 教你实践ASP.NET Core Authorization

    本文目录 Asp.net Core 对于授权的改动很友好,非常的灵活,本文以MVC为主,当然如果说webapi或者其他的分布式解决方案授权,也容易就可以实现单点登录都非常的简单,可以使用现成的Iden ...

  9. ASP.NET控件的ID,ClientID,UniqueId的区别

    一般情况下三者相同(没有父控件) ID:获取或设置分配给服务器控件的编程标识符.分配给控件的编程标识符. (可写) 设置服务器控件上的此属性可提供对服务器控件的属性.事件和方法的编程访问.Web 开发 ...

随机推荐

  1. Fully qualified name FQCN

    Fully qualified name - Wikipedia https://en.wikipedia.org/wiki/Fully_qualified_name In computer prog ...

  2. Java实现断点续传

    原理: 断点续传的关键是断点,所以在制定传输协议的时候要设计好,如上图,我自定义了一个交互协议,每次下载请求都会带上下载的起始点,这样就可以支持从断点下载了,其实HTTP里的断点续传也是这个原理,在H ...

  3. Tr A--hdu1575(矩阵快速幂)

    题目链接:http://acm.hdu.edu.cn/showproblem.php?pid=1575 算是模板吧 #include <iostream> #include <std ...

  4. springboot跨域处理

    /** * @author 657642432@qq.com * 跨域处理 */ @Configuration public class CorsConfig { @Bean public Filte ...

  5. django 模板语言之 filter 自定义模板

    可以自己写python函数放在模板语言里用 这种方法是django里面的 filter {{ item.event_start|date:"Y-m-d H:i:s"}} {{ bi ...

  6. 增强MyEclipse的代码自动提示功能

      一般在Eclipse ,MyEclipse代码里面,打个foreach,switch等 这些,是无法得到代码提示的(不信自己试试),其他的就更不用说了,而在Microsoft Visual Stu ...

  7. 001-netty的优势

    1.API简单. 2.性能高. 3.成熟稳定. 4.入门门槛低.

  8. AtCoder Regular Contest 080 E - Young Maids

    地址:http://arc080.contest.atcoder.jp/tasks/arc080_c 题目: E - Young Maids Time limit : 2sec / Memory li ...

  9. Codeforces Round #409 (rated, Div. 2, based on VK Cup 2017 Round 2) D. Volatile Kite

    地址:http://codeforces.com/contest/801/problem/D 题目: D. Volatile Kite time limit per test 2 seconds me ...

  10. Linux 磁盘

    一台物理服务器通常有好几块磁盘(/dev/sda,/dev/sdb),每个磁盘上都可以进行分区(例如对sda进行分区操作:fdisk /dev/sda,可以将sda分成sda1,sda2,sda5等分 ...