书中 OAuth2.0 使用的是账号密码模式, 现在遇到一个需求是使用授权码模式。阅读了协议和一些 demo 后, 有一个问题:
问题: 在授权码模式下, 授权码是不是需要和 User 绑定?
想法: Client 拿到授权码之后会用它去申请 token, 如果授权码不和 User 绑定的话, 那返回的 token 不就是针对 Client 的吗?Client 用这个 token 就可以去获取其他用户信息了。
是不是应该授权码和 Client、User 都一一对应, OAuth Server 拿到授权码验证 client_secret 后就去找对应的 User, 然后根据 user_id 生成 token 返回给 Client?
协议原文: 4.1.2
code
REQUIRED. The authorization code generated by the
authorization server. The authorization code MUST expire
shortly after it is issued to mitigate the risk of leaks. A
maximum authorization code lifetime of 10 minutes is
RECOMMENDED. The client MUST NOT use the authorization code
more than once. If an authorization code is used more than
once, the authorization server MUST deny the request and SHOULD
revoke (when possible) all tokens previously issued based on
that authorization code. The authorization code is bound to
the client identifier and redirection URI.